New blog articles in Products

Customer Offerings:Device Protection w/ Microsoft Endpoint Manager & Microsoft Defender for Endpoint

John_Barbare — Tue, 02 Mar 2021 08:00:00 GMT

Introduction

Welcome to another customer offering article to inform you about how to configure, setup, and deploy endpoint protection policies which include protective measures from Microsoft. In this article, we will present Premier Services Offerings WorkshopPLUS - Device Protection with Microsoft Endpoint Manager and Microsoft Defender for Endpoint.

Offering Overview

With customers needing a deployment solution to push out Microsoft security policies and configurations, this offering will address this and more. This Premier offering builds on the fundamental security components and features of any Microsoft Endpoint Configuration Manager environment such as RBAC or role-based administration, Endpoint Protection, Exploit Guard, Application Guard, Microsoft Defender for Endpoint, BitLocker Drive Encryption, and Compliance Settings. With this new customer offering, we were able to provide a 3-day hands on training in a live demo tenant to meet and exceed customer expectations.

What the workshop entails

What's Included

The content of this offering is a mix of education, administration, compliance, and security best practices at the L200-L300 level. This offering focuses on the breadth of Microsoft Endpoint Configuration Manager, Microsoft Defender for Endpoint, M365 Security (on-prem and in the cloud), and also Intune. The Device Protection with Microsoft Endpoint Manager and Microsoft Defender for Endpoint workshop is a three day engagement where you will learn about configuring a tenant using labs hosted in the cloud (Microsoft Labs on Demand) with a full M365 E5 license (EMS E5 + M365 E5 + Office 365 E5). Each module contains scenarios that provide students with in-depth expertise, tools, and hands-on experience to help implement and troubleshoot security related concepts as they pertain to Microsoft Endpoint Configuration Manager.

Endpoint Protection policies

Areas Covered

The sections below sections are covered in detail throughout the three-day offering and expand on each objective to maximize your understanding of each topic and focus area through knowledge transfer modules.

Introduction to Endpoint Security - Overall introduction to security settings and recommendations that can be managed using Microsoft Endpoint Configuration Manager and Intune.

Role Based Access Control – Overview of Role Based Administration Control concept in Microsoft Endpoint Configuration Manager, including the reporting feature.

Endpoint Protection Technologies Overview - Objectives focus on a deeper dive into the technologies that make up Endpoint Protection.

Antimalware Policies - Objectives focus on learning the basic concepts and terminology for Endpoint Protection Antimalware Policies for Microsoft Defender Antivirus.

CAMP and Security Intelligence Updates - Objectives focus on managing Endpoint Protection Definition updates through Configuration Manager.

Endpoint Protection Alerts and Reporting - Objectives focus on how to configure and use alerts and report notifications within Configuration Manager.

Endpoint Protection Troubleshooting - Objectives focus on learning troubleshooting techniques for securing endpoints.

Exploit Guard and Application Guard - Objectives focus on learning about Attack Surface Reduction, Controlled Folder Access, and Exploit and Network Protection. You will also learn how to mitigate security threats using containers by deploying Application Guard.

Microsoft Defender for Endpoint - Objectives focus on learning how to onboard endpoints to Microsoft Defender for Endpoint using Microsoft Endpoint Configuration Manager and explore basic operational possibilities within Microsoft Defender for Endpoint portal.

Device Encryption - Learn what is BitLocker and explore modern management possibilities to control device encryption with Microsoft Endpoint Configuration Manager and Intune.

Compliance settings - Dive deeper into the compliance settings topic, including management possibilities using Microsoft Endpoint Manager (Intune).

Hands on with Labs on Demand

During this offering there are multiple hands-on labs exercises using Microsoft’s Labs on Demand. Each student will be an administrator of their own demo tenant where they will create and deploy security policies using Microsoft Endpoint Configuration Manager. Once the polices are deployed to another machine, the student will be able to view and test out those policies. The areas are listed below are covered in the lab exercises:

Endpoint Security
Implementing RBAC
Endpoint Protection policies
CAMP and Security Intelligence updates
Endpoint protection alerts and reporting
Endpoint protection troubleshooting
Exploit Guard and Application Guard
Microsoft Defender for Endpoint
Device Encryption
Compliance settings

Creating the configuration file for Endpoints for MDE

Configuring Attack Surface Reduction Rules

Configuring Bitlocker drive encryption in MEM

Objectives

After completing this course, you will understand how to set up, configure, and manage Microsoft Endpoint Configuration Manager Role Based Access, Endpoint Protection for Microsoft Endpoint Manager, Application Guard and Exploit Guard integration, Microsoft Defender for Endpoint, BitLocker Drive Encryption, and compliance settings.

Key Personnel For this Offering

This course is targeted at IT staff who have already started designing and implementing Microsoft Endpoint Configuration Manager integration with Microsoft Security products and concepts. To ensure that students are successful at the end of this WorkshopPLUS, it is highly recommended they meet the following criteria:

Existing knowledge of Microsoft Endpoint Configuration Manager
Moderate knowledge of Windows Platform and Microsoft Security products
Basic knowledge of Microsoft Endpoint Manager (Intune)

Disclaimer

As of this writing, the above modules are in scope. However, they might change as Microsoft Endpoint Configuration Manager, Intune, Microsoft Defender for Endpoint, and M365 Security are subject to change.

Follow up and feedback

For further information, please contact your Microsoft Account Representative, Customer Success Account Manager (CSAM), or Service Delivery Manager (SDM).

To improve this or any other workshop, we always consider feedback from you. At Microsoft, achieving a high level of satisfaction among our customers and partners around the world is a core component of our business. For that reason, please don’t hesitate to complete the surveys and provide feedback.

Credit

Special thanks and credit to the development team:

Anton Tatarkin, Senior Customer Engineer, Intune / EMS / Configuration Manager, Netherlands

John Barbare, Senior Customer Engineer - Cybersecurity, Monitoring Solutions (Sentinel, M365 Defender, MDE, MDI, MCAS), Unites States

Charles Baldridge, Customer Engineer, Configuration Manager, United States

Announcing the preview of Zone Redundant Storage (ZRS) option for Azure managed disks

Raman Kumar — Tue, 02 Mar 2021 07:05:02 GMT

We are excited to introduce the preview of Zone Redundant Storage (ZRS) option for Azure managed disks! This capability provides synchronous replication of data across the three Zones in a region, enabling disks to tolerate Zonal failures which may occur due to natural disasters or hardware issues. ZRS option is currently supported for Premium SSD and Standard SSD disks.

Use ZRS disks for legacy applications to achieve better availability

You can achieve high availability for your workloads using application-level replication across two zones, for example, SQL Always On. However, suppose you are using industry-specific proprietary software or legacy applications like older versions of SQL Server, which don't support application-level synchronous replication; ZRS disks will provide improved availability via storage-level replication. For example, if a zone goes down due to natural disasters or hardware failures, ZRS disk will continue to be operational. If your virtual machine (VM) in the affected Zone becomes unavailable, you could use a virtual machine in another zone and attach the same ZRS disk.

Use ZRS with shared disks

You can also use the ZRS option for shared disks to provide improved availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS. You can attach a shared ZRS disk to primary and secondary VMs allocated on different zones to take advantage of both ZRS disks and Availability Zones for VMs for higher availability. In the event of a primary zone failure, you can quickly fail over to the secondary VM using SCSI persistent reservation.

Use ZRS disks to achieve zero RPO

For LRS disks, you can achieve better durability by taking frequent backups of your disks using ZRS snapshots. You can also enable cross-zone disaster recovery for LRS disks via Azure Site Recovery. However, these options do not provide zero Recovery Point Objective (RPO). If your application must meet zero RPO, then ZRS disks could be the solution.

Pricing and performance

You can find the price for Premium SSD and Standard SSD ZRS disks at the disks storage pricing page. The IOPS and bandwidth provided by ZRS disks is same as the corresponding LRS disks. For example, a P30 (128 GiB) LRS Premium SSD disk provides 5000 IOPS and 200 MB/second bandwidth, which is same for P30 ZRS Premium SSD disk. Disk latency for ZRS is higher than that of Locally Redundant Storage (LRS) due to the cross zonal copy of data.

Get started

If you are interested in participating in the preview, request access by filling out this form. A list of regions where the feature is supported can be tracked on the documentation page. We will keep adding new regions throughout the public preview.

Review the ZRS disks preview documentation to learn how to do the following:

Create a VM with ZRS OS and data disks.
Create multiple VMs in different zones with a shared ZRS disk.
Create VMSS with ZRS OS and data disk.

SAP on Azure General Update – February 2021

Cameron_MSFT_SAP_PM — Tue, 02 Mar 2021 05:30:12 GMT

1. Hotnews : Updates to SAP on Azure Documentation

SAP introduced a new feature called HANA data volume partitioning with HANA 2.0 Support Pack Stack 3.

This feature places multiple Hana datafiles onto multiple disks, thereby avoiding the requirement to aggregate disks using LVM. Some Linux Administrators prefer simpler disk structures.

Example: Rather than aggregating 4 x P30 in LVM and placing one large datafile, multiple datafiles can be placed onto 4 separate disks.

Microsoft has updated the SAP Hana on Azure documentation to reflect the usage of this new feature. Customers should test scenarios such as Backup/Restore and DB integrity check.

SAP HANA Azure virtual machine storage configurations - Azure Virtual Machines | Microsoft Docs

SAP HANA Azure virtual machine ANF configuration - Azure Virtual Machines | Microsoft Docs

SAP HANA – Partitioning Data Volumes | SAP Blogs

Other recent documentation updates for Azure NetApp Files include:

Azure Virtual Machines Oracle DBMS deployment for SAP workload

HA for SAP HANA scale-up with ANF on RHEL

SAP HANA scale-out HSR with Pacemaker on Azure VMs on RHEL

SAP HANA scale-out with standby node on Azure VMs with ANF on SLES

SAP HANA scale-out with standby node on Azure VMs with ANF on RHEL

NFS v4.1 volumes on Azure NetApp Files for SAP HANA

Azure Storage Configuration page is frequently updated. It is recommended to review recent changes in:

SAP HANA Azure virtual machine storage configurations. Recently the disk performance table has been updated to include Azure Premium Disk Burst functionality

More information on Disk Performance Tiers can be found here: Performance tiers for Azure managed disks - Azure Virtual Machines | Microsoft Docs

Recent price reductions and performance improvements are announced here More IOPS at no additional cost for Azure Files premium tier | Azure updates | Microsoft Azure

The main SAP on Azure site https://azure.microsoft.com/en-us/solutions/sap/

SAP on Azure Resources https://azure.microsoft.com/en-us/solutions/sap/resources/

SAP on Azure Updates on the main Azure site https://azure.microsoft.com/en-us/updates/?query=sap

SAP on Azure Documentation “Getting Started” https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/sap/get-started

2. New Azure Monitoring Agent

A new Azure Monitoring Agent is currently in preview and will become Generally Available in due course.

Azure Monitor agent overview - Azure Monitor | Microsoft Docs

The new Azure Monitoring Agent (AMA) has advantages over the current monitoring framework

AMA fully supports Multi-homed Linux VMs and control over version upgrades

AMA is still in Public Preview, but when released AMA will become the default agent installed when a new VM is created. The previous Log Analytics solution will still be available for manual installation.

AMA can also monitor non-Azure servers using ARC Azure Arc – Azure Management | Microsoft Azure

To join the AMA Preview https://aka.ms/AMAgent

Supported Operating Systems include popular Windows, Suse and Redhat releases used by SAP customers Overview of the Azure monitoring agents - Azure Monitor | Microsoft Docs

3. Tuning for SIOS LifeKeeper on Oracle Linux

A significant number of SAP on Azure customers run on Oracle database. Microsoft is continuing to improve and optimize the Azure platform for SAP on Oracle customers. In recent time we have published guidance for deploying Oracle 19.8 on Oracle Linux 8.2 with Automatic Storage Management (ASM). In the future we will publish blogs on Oracle DataGuard and SnapShot Backup of ASM systems.

Oracle customers are often using SIOS LifeKeeper cluster software for the ASCS cluster. Testing has shown the following configuration is optimal for DB, ASCS and SAP Application servers

Increase SIOS cluster timeout to 45 sec (5 sec heartbeats x 9 failures)
Set /proc/sys/net/ipv4/tcp_retries2 = 9 (originally set to 15) on cluster VMs
Set ASCS/SCS for ENSA1 profile parameter to: enque/encni/set_so_keepalive = true restart SAP ASCS/SCS to enable settings
Set net.ipv4.tcp_keepalive_time = 300 (originally set to 7200) on ALL VMs

Thanks for Goran for contributing this item

SIOS Lifekeeper: Linux High Availabillity Cluster Software | SIOS

4. Recommended Blogs for SAP on Azure Customers & Consultants

Many new useful blogs have been created by Microsoft for SAP customers

Part 1: Application Gateway WAF v2 setup for Internet facing SAP Fiori Apps

The blog provides details to configure Application Gateway WAF v2 which acts a first line of defense for Internet facing SAP Fiori Apps in Azure.

NOTE: There is a difference in the end-to-end SSL setup process with respect to the version of application gateway used (v1 or v2). As this blog highlights configuration using application gateway SKU v2, you will find a difference in setup process if you configure application gateway v1.

Part 2: Single Sign On Configuration using SAML and Azure Active Directory for Public and Internal URLs

We already have an official tutorial that describes Azure Active Directory Single Sign On (SSO) integration with SAP Fiori, but this blog extend the use on achieving SAML based SSO for two different URLs (Public and Internal).

Thanks to Bartosz Jarkowski for contributing this blog on SQL Server TDE with Azure Key Vault

https://blogs.sap.com/2021/01/19/your-sap-on-azure-part-25-sql-server-transparent-data-encryption-with-azure-key-vault/

Thanks to Philipp Leitenbauer for releasing this useful tool – version 2.0 of the Hana on Azure Quality Check tool

SAP-on-Azure-Scripts-and-Utilities/QualityCheck at main · Azure/SAP-on-Azure-Scripts-and-Utilities · GitHub

Thanks to Vamshi Polasa for releasing this whitepaper on migrating Oracle workloads to Azure

https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/migrating-sap-on-oracle-workloads-to-azure/ba-p/2109839

Thanks to Anjan for providing a procedure to replication Linux Pacemaker ASCS clusters with ASR

SAP ASCS HA Cluster (in Linux OS) failover to DR region using Azure Site Recovery - Microsoft Tech Community

Another major customer is moving from SAP ECC on Azure to S4 running on Hana Enterprise Cloud running on Azure.

Zespri selects SAP cloud solutions in multi-year deal - SAP Australia & New Zealand News Center

Thanks to Ralf Klahr for this video about CONA (Coca Cola North America)

https://tv.netapp.com/detail/video/6230415190001

Thanks to Goran Condric and others for these blogs on automating system shutdown & startup

Optimize your Azure Costs by Automating SAP System Start – Stop - Microsoft Tech Community

Hey, SAP Systems! My PowerApp says Snooze! But only if you’re ready yet | SAP Blogs

5. SQL Server 2019 CU8 Distributed Network Name

A new feature has been added in SQL Server 2019 CU8 that eliminates the requirement to have a Internal Load Balancer for the SQL Server AlwaysOn Listener. This new feature simplifies the setup, configuration and operations of SQL Server AlwaysOn. Customers may also notice that failover times are faster with a DNN.

A Distributed Network Name (DNN) Listener can be retrofitted to an existing configuration that has a conventional ILB. Documentation on the setup and configuration of a DNN can be found here https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-distributed-network-name-dnn-listener-configure

It is recommended to set MultiSubnetFailover=True and review https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/availability-group-dnn-interoperability

Note: this feature is exclusively available only as of SQL Server 2019 with CU8 or higher and Windows 2016 or higher.

The default.pfl and Windows environment variables should be updated. A sample ENV can be seen below. The TCP port number specified in the powershell command must be added to both the ENV and default.pfl. The format should be <listenername>,<port>. A comma and not a “.” or “:” must be used

MSSQL_CONNOPTS=MultiSubnetFailover=yes

MSSQL_DBNAME=P01

MSSQL_SCHEMA=p01

MSSQL_SERVER=dnnp01lsnr,6789

The latest SQL Server Service Pack and CU is always supported by SAP and can be downloaded from here https://techcommunity.microsoft.com/t5/sql-server/bg-p/SQLServer/label-name/SQLReleases

SQL Server 2019 CU8 Availability Groups Supports DNNs (microsoft.com)

6. Running Oracle on Azure NetApp Files

It is now supported to run Oracle 19.8 DBMS on Oracle Linux 8.2 connection over NFS to Azure NetApp Files. NetApp features such as Snapshot backup can be used for near instant Backup & Restore

Changes in our Oracle documentation Oracle Azure Virtual Machines DBMS deployment for SAP workload - Azure Virtual Machines | Microsoft Docs
Minimum OEL release (8.2) and minimum DBMS requirement (19.8.0) is documented in SAP note: 2039619 - SAP Applications on Microsoft Azure using the Oracle Database: Supported Products and Versions - SAP ONE Support Launchpad
The Oracle provided dNFS driver should be used in the guest OS. More documentation can be found here: Creating an Oracle Database on Direct NFS - Bing
Thanks to Ralf for providing this blog describing the whole end-to-end process of deployment and configuration with this blog: Deploy SAP AnyDB (Oracle 19c) with Azure NetApp Files - Microsoft Tech Community

Note: VM skus with very high network quota may be needed

7. SUSE Linux 15 Service Pack 2 – Remove Mount Option NOBARRIER

SUSE Linux Enterprise Server 15 (SLES 15) or SUSE Linux Enterprise Server 15 for SAP Applications (SLES for SAP 15) is now certified and supported for both NetWeaver and Hana. The /etc/fstab option NOBARRIER has been depreciated for some time. Suse 15.2 uses a Linux 5.0 kernel. The option NOBARRIER will now cause an error and should be removed. On most modern Linux distributions the NOBARRIER option will be ignored.

The correct IO Scheduler options are documented here SAP HANA Azure virtual machine storage configurations - Azure Virtual Machines | Microsoft Docs

Azure Site Recovery and Azure Hana Backup are both supported on Suse 15 Service Pack 2 (Linux Kernel 5.0)

List of SUSE Linux Enterprise Server kernel (version and release date) | Support | SUSE

8. Update on Support Matrix for SAP on Azure

In recent months many new features have become available for SAP customers. The list below is a very brief overview of recommended features and updated documentation

Azure Disk Encryption is now supported for Gen2 Windows VMs. Gen2 Linux VM support is in progress
Redhat 8.2 is now certified for Netweaver and Hana.
Suse 15.2 is now certified for Netweaver and Hana
Azure Site Recovery now works with Linux Pacemaker clusters and the procedure for protecting and recovering Pacemaker clusters after an ASR failover is documented here https://techcommunity.microsoft.com/t5/blogs/blogworkflowpage/blog-id/SAPApplications/article-id/722
Azure Site Recovery Portal support for PPG is now live https://docs.microsoft.com/en-us/azure/site-recovery/how-to-enable-replication-proximity-placement-groups
Azure Backup for Hana now supports incremental backups Azure Backup for SAP HANA databases now supports Incremental backups – Public preview | Azure updates | Microsoft Azure
Azure backup increased SAP HANA soft limit from 2 TB to 8 TB volume
Customers with a requirement for Immutable Storage for legal or compliance reasons and/or to prevent modification of objects such as backups can use https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-immutable-storage
Customers are recommended to review “Azure Monitor for SAP” which is in preview - https://docs.microsoft.com/en-us/azure/virtual-machines/workloads/sap/azure-monitor-providers

The Azure platform offers ADE and additional encryption solutions. These will be discussed in an upcoming blog:

Double Encryption https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-double-encryption-at-rest-portal
Encyption at Host https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal

9. New Azure Monitor Counters – Guest VM Throttling

Customers and Partners should setup Azure Monitor and leverage new performance counters to ensure SAP on Azure solutions are correctly sized for optimal cost savings and performance.

Over-sizing VMs leads to excessive costs. Undersizing VMs can lead to performance and stability problems.

Each Azure VM is assigned a specific quota of CPU, RAM, Disk & Network. If these quotas are saturated for extended periods performance and stability problems may occur. It is recommended to size VMs such that there are only momentary spikes to 100% for brief periods, typically no more than tens of seconds

Forunately the Azure platform comes with Azure Monitor – a very powerful and useful tool. https://docs.microsoft.com/en-us/azure/azure-monitor/overview

Azure Monitor Quickstarts for Linux and Windows can be found here https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-monitor-azure-vm

A list of all the Azure Monitor metrics can be found here

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported but the more useful counters for SAP IaaS VMs can be found here Azure Monitor supported metrics by resource type - Azure Monitor | Microsoft Docs

The counters that monitor disk quota consumption are labelled “Consumed Percentage”. In addition to the below monitoring the network throughput may also be useful.

The quotas of typical VMs used for SAP systems can be found in this link below.

Edv4 and Edsv4-series - Azure Virtual Machines | Microsoft Docs

Additional Links & Notes

The new Azure Portal Application is faster and has useful features – available for download

https://portal.azure.com/App/Download

Redhat support cycle and support dates Red Hat Enterprise Linux Life Cycle - Red Hat Customer Portal

Azure Files NFS 4.1 is now in Preview https://azure.microsoft.com/en-us/updates/azure-files-support-for-nfs-v41-is-now-in-preview/ Azure Files NFS removes the need for a highly available NFS VM infrastructure

Azure Certification and Training courses

Collections - MicrosoftAzuretrainingandcertifications | Microsoft Docs

SAP on Azure Free Online Training Course. Exam AZ-120: Planning and Administering Microsoft Azure for SAP Workloads

https://docs.microsoft.com/en-us/learn/certifications/exams/az-120

A free Certification Exam offer is here https://docs.microsoft.com/en-us/learn/certifications/microsoft-build-cloud-skills-challenge-2020-free-certification-exam-offer

This Red Hat article How to in-place upgrade SAP environments from RHEL 7 to RHEL 8 - Red Hat Customer Portal describes the supported combinations. For HANA, according to the article the in-place upgrade is only supported on non-cloud systems: “The in-place upgrade of RHEL 7 with SAP HANA can be performed from RHEL 7.7 to RHEL 8.2 only, on x86_64 only, and on non-cloud systems only. A SAP HANA system running on RHEL 7.6 or earlier must be updated to RHEL 7.7 “

What’s New in Azure Disk Storage at Microsoft Ignite 2021

henryyan — Tue, 02 Mar 2021 04:10:42 GMT

Since Ignite last September, we’ve been focused on delivering enhancements to Azure Disk Storage to help our customers migrate their mission-critical workloads to Azure. Today, at Microsoft Ignite 2021, we are excited to share a new set of innovations for Azure Disk Storage across key elements, including reliability, scale & performance, security, data protection, and cloud native applications.

This blog post gives you an overview of these new capabilities which will help you run your business-critical applications on Azure.

Reliability

Increase availability for your applications with Zone redundant storage (ZRS) on Premium and Standard SSDs, in preview

Provide synchronous replication of data across zones in a region, enabling disks to tolerate zonal failures which may occur due to natural disasters or hardware issues.
Enable customers to maximize their virtual machine availability without the need for application-level replication of data across zones, not commonly supported by legacy applications such as old versions of SQL or industry-specific proprietary software. This means that if a virtual machine becomes unavailable in an affected zone, you can continue to work with the disk by mounting it to a virtual machine in a different zone.
Can be used with shared disks to provide improved availability for clustered or distributed applications like SQL FCI, SAP ASCS/SCS or GFS2.

Sign-up for the preview.

Read the blog and documentation to learn more about ZRS for Azure managed disks.

Scale & Performance

Achieve sustained higher performance by changing tiers without disruption to your workloads, in preview

In November 2020, we announced the general availability of performance tiers on Premium SSDs, which provides you the flexibility to scale the disk performance without increasing the disk size by selecting a higher performance tier. You can also change tiers to bring the disk back to your baseline performance tier, enabling you to achieve higher performance and cost savings. Performance tiers is critical for planned events like a seasonal sales promotion or running a training environment, where you need to achieve sustained higher performance for a few hours or days and then return to the normal performance levels. Now, in preview, you can change the performance tiers of Premium SSD without any downtime to your application - even when the disk is attached to a running virtual machine.

Sign-up for the preview.

Read the documentation to learn more about performance tiers on Premium SSDs.

Boost disk performance on-demand with new disk bursting experience on Premium SSDs, in preview

We are extending disk bursting support for larger Premium SSDs (above 512 GiB) with a new enhanced experience. Unlike credit-based bursting where you can only burst your performance if you have accrued credits, on-demand bursting allows you to burst up to 6x of the provisioned limit (up to 30,000 IOPS and 1,000 MBps) whenever needed. On-demand disk bursting is most suitable for mission-critical workloads where a limit in performance cannot be tolerated even for unexpected spikes. With on-demand disk bursting, you will be charged a burst enablement fee and for any additional transactions over the provisioned limit.

Read the documentation to learn more about on-demand bursting.

Security & Data Protection

Keep your data secure with auto-key rotation of customer-managed keys, in preview

Azure managed disks provide end to end encryption of data with your keys stored in Azure Key Vault. Now, you can choose to enable automatic rotation of your keys. When you generate a new version of a key in your Key Vault, the system will automatically update all the managed disks, snapshots, and images to the new key version within an hour.

Read the documentation to learn more about auto-key rotation of customer managed keys.

Protect your critical data with per disk backup, in preview

Per disk backup provides snapshot lifecycle management by automating periodic creation of snapshots and retaining it for configured duration using a backup policy. You can easily manage disk snapshots with no additional costs and without need for custom scripting or any management overhead. This is an agent-less and crash-consistent backup solution that takes point in time backup of a managed disk using incremental snapshots with support for multiple backups per day.

Several key aspects of per disk backup include:

Faster and more frequent backups without disruption to your applications
Supports backup and restore for both OS and data disks (including shared disks), regardless of whether they are currently attached to a running Azure Virtual machine.
Cost-effective solution to backup specific disks

Sign-up for the preview.

Read the documentation to learn more.

Cloud Native Applications

Deploy and protect Stateful Kubernetes applications with Azure Disk CSI Driver, generally available

Container Storage Interface (CSI) is a standard for exposing block and file storage systems to containerized workloads on Kubernetes. With the GA of the Azure Disk CSI driver, starting in Kubernetes v1.20, you can now:

Take advantage of the latest Azure Disk functionality by updating to the new CSI driver version, without the need to wait for Kubernetes release cycles.
Create, manage and delete disk volume snapshots via Kubernetes native API, as well as, create new disk volumes pre-populated with the data from a snapshot via Kubernetes dynamic volume provisioning - providing a singular interface for volume and snapshot management.
Use RWX raw block volumes from multiple pods.

Azure Disk CSI driver is now available with Kubernetes v1.20 onwards with AKS Engine and will be available on AKS coming soon.

Application Troubleshooting - Stateless/Stateful Services Cannot Be Started In Service Fabric

Ping_Wu — Tue, 02 Mar 2021 03:05:16 GMT

This blog introduces troubleshooting steps for the issue that stateless/stateful services cannot be started in service fabric as well.

Customer could read this information and follow up the troubleshooting steps to identify the exception and the issue events when stateless and stateful try to start.

Stateless and Stateful Service Lifecycle

The lifecycle of a stateless service is straightforward. Here's the order of events:

1. The service is constructed.

2. Then, in parallel, two things happen:

* StatelessService.CreateServiceInstanceListeners() is invoked and any returned listeners are opened. ICommunicationListener.OpenAsync() is called on each listener.

* The service's StatelessService.RunAsync() method is called.

3. If present, the service's StatelessService.OnOpenAsync() method is called. This call is an uncommon override, but it is available. Extended service initialization tasks can be started at this time.

Stateful services have a similar pattern to stateless services, with a few changes. For starting up a stateful service, the order of events is as follows:

1. The service is constructed.

2. StatefulServiceBase.OnOpenAsync() is called. This call is not commonly overridden in the service.

The following things happen in parallel:

* StatefulServiceBase.CreateServiceReplicaListeners() is invoked.

* If the service is a Primary service, all returned listeners are opened. ICommunicationListener.OpenAsync() is called on each listener.

* If the service is a Secondary service, only those listeners marked as ListenOnSecondary = true are opened. Having listeners that are open on secondaries is less common.

* If the service is currently a Primary, the service's StatefulServiceBase.RunAsync() method is called.

3. After all the replica listener's OpenAsync() calls finish and RunAsync() is called, StatefulServiceBase.OnChangeRoleAsync() is called. This call is not commonly overridden in the service.

Events and Cancellation Token

CreateServiceInstanceListener is to supply the communication listeners for the service instance, it is normally override in stateless service like using Kestrel , https and so on.

RunAsync() is executed in its own task. Note that in the code snippet above, we jumped right into a while loop. There is no need to schedule a separate task for your workload. Cancellation of your workload is a cooperative effort orchestrated by the provided cancellation token. The system will wait for your task to end (by successful completion, cancellation, or fault) before it moves on. It is important to honor the cancellation token, finish any work, and exit RunAsync() as quickly as possible when the system requests cancellation. It will be triggered for stateful primary replica or all stateless instances and normally override in stateful service.

Cancellation token is provided to coordinate when your service instance needs to be closed. In Service Fabric, this open/close cycle of a service instance can occur many times over the lifetime of the service as a whole. This can happen for various reasons, including:

* The system moves your service instances for resource balancing.

* Faults occur in your code

* The application or system is upgraded.

* The underlying hardware experiences an outage.

Troubleshooting

Please follow up below steps to idenify the exception method:

1. RDP to service fabric node. (primary replica node if it is stateful service)

2. Check Application event logs for any exception if no exceptions go to step 3.

3. Check if the port is occupied by the other services.

For TCP: Get-Process -Id (Get-NetTCPConnection -LocalPort YourPortNumberHere).OwningProcess For UDP: Get-Process -Id (Get-NetUDPEndpoint -LocalPort YourPortNumberHere).OwningProcess

4. For non-prod environment, remote debug would be helpful to get more insight, please ref more details via Debug your application in Visual Studio

5. List underlying exceptions and capture dump via procmon

Start-bitstransfer "https://download.sysinternals.com/files/Procdump.zip"

procdump.exe -accepteula -e 1 -f "" -w "processname"

6. Then capture the dump for specific exception.

procdump.exe -ma -e 1 -f "NullReferenceException" -w "processname"

7. Use Windbg, Debugdiag to get details about exception like method call stack.

Troubleshooting 4xx and 5xx Errors with Azure APIM services

SherrySahni — Tue, 02 Mar 2021 03:01:54 GMT

Part I - Troubleshooting 4xx Errors

Debugging and Troubleshooting Overview

The API Management is nothing but a proxy which help to forward the request from client side to destination API service. It has the ability to modify the request or process based on the inputs from the client side before it reaches the destination. In an ideal scenario, APIs configured within an APIM service are expected to return successful responses (mostly 200 OK) along with the accurate data that is expected from the API.

In case of failures, you may see an incorrect response code along with a precise error message of what went wrong during the API call.

However, there may be scenarios where you may observe API requests failing with generic 4xx or 5xx errors without a detailed error message, and it could be difficult to narrow down or isolate the source of the error.

In such cases, the first point is to isolate whether the error code is thrown by APIM or the backend configured by the APIM. This proves to be an important method as most of the error codes are generated by the backend and APIM being a proxy forwards the response (error codes) back to the users who initiated the request. This makes the user think that the error code is thrown from the APIM.

Troubleshooting Azure APIM Failed Requests

Let's suppose you have initiated an API request to your APIM service and the request eventually fails with a “HTTP 500 – Internal Server Error” message.

With generic error messages such as above, it becomes very difficult to isolate the cause or the source of the failed API request since there are several internal and external components that participate during an API invocation process.

If responseCode matches backendResponseCode, then there is an issue with the backend and we should troubleshoot the backend configured with the APIM
If responseCode does not match backendResponseCode and errorReason is empty, then we should check if their policy logic is returning the error using inspector traces.
If errorReason is not empty, it’s a problem in APIM and the troubleshooting of error codes can help to resolve the issue.

Inspector Trace

If the issue is reproducible on demand, then your best option would be to enable tracing for your APIM API requests. Azure APIM services have the option of enabling the “Ocp-Apim-Trace” for your API requests. This generates a descriptive trace containing detailed information that helps you inspect the request processing step-by-step in detail and gives you a head-start on the source of the error.

Reference: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-api-inspector

Diagnostic Logging to Azure Monitor Log Analytics

You could also enable diagnostic logging for your APIM services. Diagnostic Logs can be archived to a storage account, streamed to an Event Hub resource, or be sent to Azure Monitor Log Analytics logs which could be further queried as per the scenario and requirement.

These logs provide rich information about operations and errors that are important for auditing as well as troubleshooting purposes. The best part about the diagnostic logs is that they provide you with granular level per-request logs for each of your API requests and assist you with further troubleshooting.

Reference Article: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor#resource-logs

While storage accounts and event hubs work as single targeted destinations for diagnostic log collection/streaming, if you choose to enable APIM diagnostic settings with the destination as Log Analytics Workspace, you would be offered with the below 2 modes of resource log collection:

Azure diagnostics - Data is written to the AzureDiagnostics table, which collates diagnostic information from multiple resources of different resource types.
Resource specific - Data is written to individual table for each category of the resource. For APIM, the logs would be ported to ApiManagementGatewayLogs table

Reference Article: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/resource-logs#send-to-log-analytics-workspace

If you want the resource logs to be ported to the ApiManagementGatewayLogs table, you would have to choose the option ‘Resource specific’ as highlighted in the sample screenshot below:

Below are the sample diagnostic logs generated on the Log Analytics Workspace. These logs would provide granular level details for your API requests such as the timestamp, request status, api/operation id, time taken values, caller/client IP, method, url invoked, backend url invoked, response code, backend response code, request size, response size, error source, error reason, error message, et cetera.

NOTE: Post initial configuration, it may take a couple of hours for the diagnostic logs to be streamed to the destination by the resource provider.

Depending on your mode of log collection, here are a few sample queries that could be used for querying the logs pertaining to diagnostic data for your API requests. You can also choose to filter through the logs by fine-tuning the query to retrieve data specific to an API ID or specific to a response code, et cetera.

Maneuver to Azure Portal a APIM service a Logs blade under “Diagnostic Settings” section to execute the queries

AzureDiagnostics | where TimeGenerated > ago(24h) | where_ResourceId == “apim-service-name” | limit 100

ApiManagementGatewayLogs | where TimeGenerated > ago(24h) | limit 100

Log to Application Insights

Another option is to integrate APIM service with Application Insights for generating diagnostic log data.

Integration of APIM with Application Insights - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-app-insights

Below is a sample query that can be used for querying the “requests” table that can retrieve the diagnostic data concerned with Azure APIM API requests

Maneuver to the respective Application Insights resource a Click on Logs under “Monitoring” section.

requests | where timestamp > ago(24h) | limit 100

Alternatively, the error handling in APIM can be carried out using the API management error handling policy - https://docs.microsoft.com/en-us/azure/api-management/api-management-error-handling-policies

Now that we have enabled diagnostic logs in order to retrieve details about the different types of errors and errors messages for failed API requests, let’s walk through a couple of commonly observed 4xx and 5xx errors with APIM services.

This troubleshooting series focuses on

Capturing some of the common 4xx and 5xx errors observed while making API requests using Azure APIM services.
Providing guidance to APIM users as to how can they debug or troubleshooting API requests that fail with these errors.
Possible solutions for fixing some of the commonly observed 4xx and 5xx errors.

Troubleshooting 4xx and 5xx errors with APIM services

The very first pivotal step with troubleshooting failed API requests is to investigate the source of the response code that is being returned.

If you have enabled diagnostic logging for your APIM service, then the columns “ResponseCode” and “BackendResponseCode” would divulge this primary information.

If the 4xx or the 5xx response being returned to the client is primarily being returned by the backend API (review “BackendResponseCode” column), then the issue has to troubleshoot more often from the backend perspective since the APIM service would then forward the same response back to the client without actually contributing to the issue.

4xx Errors:

Error code: 400

Scenario 1

Symptoms:

The API Management has been working fine during its implementation. It is now throwing a ‘400 Bad Request’ when invoked using the ‘Test’ option under the API Management in Azure portal. While accessing it using a client app or application, the desired result is yielded.

Troubleshooting:

Now, from the above scenario, we understand that the API is throwing a ‘400 Bad Request’ when invoke only from API Management under the Azure portal.

But the other method of invoking is yielding results. The error message clearly states that the endpoint could not be resolved. In case, if it was an issue with the endpoint, then the issue should occur across the invoking methods of the API. Since it is not our case, let us try verifying the endpoint. You can either try to resolve the endpoint from the same machine using command prompt or try a ping test.

Resolution:

In this kind of scenario’s, it is always recommended to check if the API Management is present within a Virtual Network and also notice that it will be configured in the internal mode.

As per the official documentation, “The Test console available on the Azure Portal will not work for Internal VNET deployed service, as the Gateway Url is not registered on the Public DNS. You should instead use the Test Console provided on the Developer portal.”

Scenario 2

Symptoms:

While invoking the API present under the API Management, we encounter ‘Error: The remote server returned an error: (400) Invalid client certificate’.

Troubleshooting:

Let us analyze the scenario,

This issue occurs when the customer has implemented mutual client certificate authentication, in this case client should pass the valid certificate as per the condition written in the policy

To check whether the certificate is passed or not we can enable the ocp-apim-trace. The below trace shows that no client certificate received.

Resolution:

Issue resolved after adding the valid client certificate.

Similar Scenario’s:

Scenario 3

Error Reason: OperationNotFound
Error message: Unable to match incoming request to an operation.
Error Section: Backend

Resolution:

Make sure that the operation which is invoked for the API is configured or present in the API Management. If not, add the operation or modify the request accordingly.

Scenario 4

Error Reason: ExpressionValueEvaluationFailure
Error message: Expression evaluation failed. EXPECTED400: URL cannot contain query parameters. Provide root site url of your project site (Example: https://sampletenant.sharepoint.com/teams/sampleteam )
Error Section: inbound

Resolution:

Ensure that the URL contains only the query parameter defined in the API according to the configuration in the API Management. Any mismatch might lead to such error messages. For example, if the expected input value is integer and we supply a string, this scenario might lead to the error.

Error code: 401 - Unauthorized issues

Scenario 1

Symptoms: The Echo API suddenly started throwing HTTP 401 - Unauthorized error while invoking the operations under it.

Message-

HTTP/1.1 401 Unauthorized

{ "statusCode": 401, "message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API."}

{
"statusCode": 401,
"message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription."
}

Troubleshooting:

To get access to the API, developers must first subscribe to a product. When they subscribe, they get a subscription key that is sent as a part of request header that is good for any API in that product. Ocp-Apim-Subscription-Key is the request header sent for the subscription key of the product that is associated with this API. The key is filled in automatically.
Regarding error Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription, it's clear that you are sending a wrong value of Ocp-Apim-Subscription-Key request header while invoking Create resource and Retrieve resource operations.
You can check your subscription key for a particular product from APIM Developer portal by navigating to Profile page after sign-in as shown below.
Select the Show button to see the subscription keys for respective products you have subscribed to.

If you check the headers being sent from Test tab, you notice that the value of Ocp-Apim-Subscription-Key request header is wrong. You might be wondering how come that is possible, because APIM automatically fills this request header with the right subscription key.
Let's check the Frontend definition of Create resource and Retrieve resource operations under Design tab. Upon careful inspection, you would notice that these operations got a wrong hard-coded value of Ocp-Apim-Subscription-Key request header added under Headers tab.
You can remove it, this should resolve the invalid subscription key problem, but still you would get missing subscription key error.

You may get the following error message:

HTTP/1.1 401 Unauthorized

Content-Length: 152

Content-Type: application/json

Date: Sun, 29 Jul 2018 14:29:50 GMT

Vary: Origin

WWW-Authenticate: AzureApiManagementKey realm="https://pratyay.azure-api.net/echo",name="Ocp-Apim-Subscription-Key",type="header" {

"statusCode": 401,

"message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API."

}

Go to the Echo API settings and check if it is associated with any of the available products. If not, then you must associate this API with a product so that you get a subscription key.

Resolution:

Developers must first subscribe to a product to get access to the API. When they subscribe, they get a subscription key that is good for any API in that product. If you created the APIM instance, you are an administrator already, so you are subscribed to every product by default.

Error code: 401 Unauthorized issues

Scenario
Symptoms:

The Echo API has enabled OAuth 2.0 user authorization in the Developer Console. Before calling the API, the Developer Console will obtain an access token on behalf of the user from Authorization header in the Request.

Message :

Troubleshooting:

To troubleshoot the scenario, we would start with checking the APIM inspector trace. We can also find the Ocp-Apim-Trace link from the response.
We notice the existence of a “JWT Validation Failed : Claim Mismatched” message in the traces which is unable to decode the header token provided.

To check the scope of the “JWT Validation” policy, select the Calculate effective policy button. If you don't see any access restriction policy implemented at any scopes, next validation step should be done at product level, by navigating to the associated product and then click on Policies option.

Resolution:

The claim name provided in the Claim section does not match with the APP registered in the AAD.

Provide the Client app registered Application ID in the Claims section to fix the authorization error.
After providing the valid app id, the HTTP response results with HTTP/1.1 200 OK.

Error code: 403 - Forbidden issues

Symptoms:

GetSpeakers API operation fetches the details of speakers based on the value provided in the parameter. After few days of using it, The Operation started throwing HTTP 403- Forbidden error whereas the other operations are working fine as expected.

Message:
HTTP/1.1 403 Forbidden
{
"statusCode": 403,

"message": "Forbidden"
}

Troubleshooting:

To troubleshoot the scenario, we would start with checking the APIM inspector trace. We can also find the Ocp-Apim-Trace link from the response

We notice the existence of a “ip-filter” policy that filters(allow/denies) call from specific IP address ranges.

To check the scope of the 'ip-filter' policy, select the Calculate effective policy button. If you don't see any access restriction policy implemented at any scopes, next validation step should be done at product level, by navigating to the associated product and then click on Policies option.

Resolution:
HTTP 403 - Forbidden error can be thrown when there is any access restriction policy implemented.

As we can see the IP address is not whitelisted in the error screenshot, we need to allow the IP address in the Policy to make it work.
Before:

<ip-filter action="allow"> <address-range from="13.66.140.128" to="13.66.140.143" /> </ip-filter>

After:

<ip-filter action="allow"> <address>13.91.254.72</address> <address-range from="13.66.140.128" to="13.66.140.143" /> </ip-filter>

Once we allow the IP address in the IP-Filter Policy we would be able to receive the response.

Error code: 404

Symptoms:

The Demo API is being invoked by either of the means below,

- Developer portal

- ‘Test’ option under API Management

- Client app like PostMan

- Using user code

The result of the call is a 404 Not Found error code.

Troubleshooting:

Make sure that the issue is existing to proceed with the troubleshooting steps.

Note: The API Management is not present in any Virtual Network which eliminates the option of Network elements causing the issue.

According to the API Management configuration, below are the settings

Name of the API – Demo API

Web Service URL - http://echoapi.cloudapp.net/api

Subscription Required – Yes

Below is the error scenario for the 404 error code using the API Management and the PostMan.

Postman:

API Management portal:

Based on the trace file, we can see that the error code is thrown from the forward-request section and we do not obtain much insights from it.

The configured web service URL is also reachable, and it displays us a visible content.

Web Service URL:

Hence, we proceed on collecting the browser trace while replicating the issue in the API Management section in Azure portal.

Steps to collect browser trace:

- Replicate the issue in the browser (chrome, steps for other browsers might differ slightly)

- Press F12 and navigate to the network tab.

- Make sure that the actions are recorded.

- Right click on any one of the actions and select the last option (Save all as HAR with content).

From the trace, we could see the below information which is show in preview state.

The Requested URL does not lead to a proper content over the mentioned Web Service URL. This is the reason that though the Web Service URL is reachable, the API was still throwing a 404 Not found error code when it was invoked.

Resolution:

Make sure that the Web Service URL leads to a valid destination which helps in the issue resolution. The best approach is to create a proper backend structure which hosts the APIs and then map it to the respective API of the API Management and not vice versa.

The following pointers are the main reason to encounter a 404 Not found error message from an API Management.

You might hit the wrong http Method, (for example, the operation might be POST but you are calling it as GET.)
You might be calling a wrong URL (that either has a suffix or wrong operation path).
You might be using a wrong protocol (HTTP/HTTPS).

In our case, the error is in correspondence with the second point where the configured URL is not pointing to the destination. This has been confirmed by the Browser trace too and hence correcting the URL/path will resolve the issue.

Continue Reading 5xx Error Series

Troubleshooting 4xx and 5xx Errors with Azure APIM services

Janani_R — Tue, 02 Mar 2021 03:00:55 GMT

Part II - Troubleshooting 5xx Errors

This is a continuation of troubleshooting series for 5xx errors. You can find the link of 4xx here.

In the below section, we are referring to the diagnostic logs present under the Log Analytics ApiManagementGatewayLogs when we quote “Diagnostic/Gateway Logs”

Scenario 1: Http Error code 500 with BackendResponseCode logged as 500

Symptom:

A certain API call fails with the error message “500 – Internal Server Error” as highlighted below.

The diagnostic log for this specific failure indicates 500 for the value of the column BackendResponseCode

Cause:

Under the diagnostic logs, if you observe the BackendResponseCode value logged as 500, it means that the backend API has returned a 500 response to the APIM service.

In scenarios where the backend API itself has returned a status code 500 for the incoming request, the APIM service would forward the same response back to the client

Resolution:

The issue would further have to be investigated from the backend API perspective and the backend API provider has to verify why are the backend servers returning the HTTP 500 errors.

Scenario 2: Expression Value Evaluation Failures

Symptom:

Few API requests may return a 500 response code due to failures in the evaluation of the policy expression that the API request invokes.

The error message would be logged as follows:

“ExpressionValueEvaluationFailure: Expression evaluation failed. Object reference not set to an instance of an object.”

Cause:

This error normally occurs due to a “NullReferenceException” wherein you attempt to read a parameter value that hasn’t been defined yet or is set to null.

The ErrorSource column in the diagnostic logs would indicate the name of the policy that is causing the error during the evaluation.

Resolution:

Recommendation is to revisit the policy definition for the API operation which fails evaluation during request processing and fix the null reference exception.

Scenario 3: APIM Client Connection Failure with response code 0 or response code 500

Symptom:

In the gateway logs, you may observe scenarios where the:

Response code column contains either a 0 or 500 response
Error Reason column contains the value “ClientConnectionFailure” logged
Error Message column contains error messages such as “The operation was cancelled, “A task was cancelled”, et cetera.

Cause:

The term ‘Client Connection Failure’ essentially means that the client application (which initiated the API call) terminated the connection with the APIM service even before the backend API could revert with the expected response for the incoming API call and APIM could forward the same back to the client.

It basically implies that the client abandoned the request before the response could be received. APIM has no control over when or why the client decides to abandon the request.

These failures generally occur when the request is taking too long to complete so the client either gives up (a user may close the browser) or the client application may have a time out.

Here a few possible causes for such failures:

Issues with client network
Azure Virtual Network stability
Issues with client application
Low time-out value in client application
Increased request processing time
The Backend API takes abnormally long to respond (possibly due to large payload)

Most of the time, you can observe from the diagnostic logs that the clientTime values for these requests are quite high and contribute to most of the totalTime.

In order to explain what these fields indicate:

totalTime - Total time for the request measured from the first byte received to last byte sent to the client. This includes backend roundrip and client ability to read.
backendTime - Number of milliseconds spent on overall backend IO (connecting, sending, and receiving bytes). If this time is high, it means the backend is slow and the performance investigation needs to be focused there.
clientTime - Number of milliseconds spent on overall client I/O (connecting, sending, and receiving bytes). If this time is high, the client bandwidth or processing might not allow to read response fast.

Resolution:

In most scenarios, Client Connection Failures primarily have to be investigated further from a client perspective since it is the client that essentially terminates the connection with the APIM service.

Few possible suggestions are increasing the Timeout value at the client end, decrease the response processing time, et cetera which depend from scenario to scenario.

Additionally, using the diagnostic logs, you can also find the specific process during which the client abanonds the request by looking into the ErrorSource column.

For example,

If the column contains the value “forward-request”, it means that the client terminated the connection while the APIM service was still forwarding the request to the backend API
If the column contains the value “transfer-response”, it means that the client terminated the connection while the APIM service had received the response from the backend API and was forwarding it back to the client.

Scenario 4: APIM Backend Connection Failures

The APIM service logging “BackendConnectionFailure” under the ErrorReason column in the diagnostic logs essentially indicates that the APIM service failed to establish a connection with the backend API.

This error could be happen due to various reasons and with multiple types of error messages.

Few of the commonly observed error messages for Backend Connection Failures are listed down below. The corresponding error message for the failure would be logged under the ErrorMessage column in the diagnostic logs.

Scenario 5: Unable to connect to the remote server

Symptom:

API requests fail with Backend Connection Failure with the below error message highlighted in the Ocp-Apim traces/diagnostic logs

Cause and Resolution:

The error “Unable to connect to the remote server” normally occurs due to the below reasons:

APIM performance/capacity issues.
SNAT port exhaustion on the APIM VMs
There is an additional network device (like a firewall) that is blocking the APIM service from communicating with the backend API
Backend API isn’t responding to the APIM requests (backend down or not responding)
Network issues/latencies between the APIM service and the backend.

Using the Capacity dashboard on the Metrics blade of the APIM service, you can verify whether there have been any abnormal fluctuations with the average capacity which could have possibly contributed to the issue.

SNAT Port Exhaustion is a hardware specific failure.

The following document highlights that the max concurrent requests from APIM to a back-end is 1024 for the developer tier and 2048 for the other tiers.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#api-management-limits

Let’s take the example of a Developer Tier service to understand what this means.

The Developer Tier is an APIM service where the APIM service is hosted on a single underlying VM/node/host machine.

Each VM is internally assigned 1024 SNAT ports for communication. Hence, in case of the Developer tier you cannot have more than 1024 outbound connections to the same destination at the same time (concurrent connections). If the number exceeds beyond 1024 outbound connections (possibly due to huge influx of incoming requests) the service will encounter SNAT port exhaustion issues and will fail to establish a connection with the backend server.

NOTE: You can have more than 1024 connections at the same time if the destinations are different (not concurrent).

If it has already been verified that the issue has not occurred due to either capacity issues or SNAT failures, then the issue could possibly be occurring because either the backend API was down, unavailable to establish connection with the APIM service or was terminating the connection due to network latencies between the APIM service and the backend

In order to confirm this, you would have to collect network traces from the underlying VMs/nodes hosting the APIM service while the issue is being reproduced and then analyze the traces for establishing the point of failure.

In most scenarios, you can observe from the diagnostic logs that the "BackendTime" was almost equal to or greater than 21 seconds for all the failed requests and contributed to most of the “totalTime”.

This indicates possibilities of a TCP connection failure to the backend (21 seconds is the usual TCP timeout). APIM tried to engage with the backend, but there was no response from the backend. So, the connection timed out after 21 seconds and a HTTP Status Code 500 was returned, which indicates that the backend server was down or was not responding to connection requests or was unable to maintain the connection.

Scenario 5: The underlying connection was closed: A connection that was expected to be kept alive was closed by the server.

Symptom:

API requests fail with Backend Connection Failure with the below error message highlighted under the errorMessage section in the diagnostic logs

“The underlying connection was closed: A connection that was expected to be kept alive was closed by the server.”

Cause:

This is usually caused by a known APIM issue.

APIM keeps connections to the backend open for as long as possible so it can re-use them and so that it doesn't have to perform TCP/SSL handshakes to establish new connections every time, which has a negative impact on performance. However, if a connection doesn't get used for a certain period of time due to low/no activity (4 minutes), the internal Azure Load Balancer silently drops the connection. When this happens, if APIM tries using the dropped connection next time, the connection fails and the above error message gets logged.

Resolution:

This can be avoided by using the retry logic in APIM.

Reference: APIM Retry Policy - https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#Retry

Scenario 6: The remote name could not be resolved

Symptom:

API requests fail with Backend Connection Failure with the below error message highlighted under the errorMessage section in the diagnostic logs:

“The remote name could not be resolved”

Cause:

When one machine has to connect to another machine, it has to perform DNS name resolution.

The above error indicates that APIM wasn't able to convert the hostname of the backend (e.g. contoso.azurewebsites.com) to an IP address and couldn't connect to it.

The most frequent cause for this error is using an incorrect hostname while setting up the API configuration. If the service is in a VNET and is using custom DNS, it could mean that custom DNS server was unavailable or did not contain a record for the backend that APIM is attempting to connect to.

Resolution:

Accordingly, the issue has to be troubleshot from a network perspective as per the dependent scenario. The most reliable method of isolating the issue and zeroing down on the exact cause is analysis of network traces for sample failures.

Scenario 7: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

Symptom:

API requests fail with Backend Connection Failure with the below error message highlighted under the errorMessage column in the diagnostic logs:

“The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel”

Cause:

This error is normally encountered when the backend has been configured to use a self-signed certificate instead of using a publicly trusted root CA certificate.

APIM services are hosted in the Azure infrastructure using PaaS VMs that run on Windows OS.

Hence, every APIM instance trusts the same default Root Certificate Authorities that all windows machines trust.

The list of trusted Root CAs can be downloaded using the Microsoft Trusted Root Certificate Program Participants list - https://docs.microsoft.com/en-us/security/trusted-root/participants-list

Resolution:

There are 2 possible solutions for resolving this issue:

Add a valid trusted root CA certificate that resolves to a Microsoft Trusted Root Participant list.
Disable certificate chain validation in order for APIM to communicate with the backend system. To configure this, you can use the New-AzApiManagementBackend (for new back end) or Set-AzApiManagementBackend (for existing back end) PowerShell cmdlets and set the -SkipCertificateChainValidation parameter to True.

Below is the sample PowerShell command:

$context = New-AzApiManagementContext -resourcegroup 'ContosoResourceGroup' -servicename 'ContosoAPIMService' New-AzApiManagementBackend -Context $context -Url 'https://contoso.com/myapi' -Protocol http -SkipCertificateChainValidation $true

References for creating/updating backend entity:

Scenario 8: Unable to read data from the transport connection: The connection was closed.

Symptom:

API requests fail with Backend Connection Failure with the below error message highlighted under the errorMessage column in the diagnostic logs:

“Unable to read data from the transport connection: The connection was closed.”

Cause:

This error occurs when the APIM service is still trying to read the response from the backend, but the connection was suddenly aborted.

The process by which an APIM service transfers a response to the client is highlighted below:

APIM reads the response status code and header first. The payload will stay in network stream.

Once the header and the status code is received, then APIM will stream across the response body from the backend service to the client.

While the data stream is underway, if any exception is encountered, then the above error message is logged.

Resolution:

Users can implement the retry logic in APIM for avoiding this error:

Reference: APIM Retry Policy - https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#Retry

Scenario 9: The underlying connection was closed: The connection was closed unexpectedly

Symptom:

API requests fail with Backend Connection Failure with the below error message highlighted under the errorMessage column in the diagnostic logs:

“The underlying connection was closed: The connection was closed unexpectedly”

Cause:

This error occurs when either the APIM service or the backend service abruptly terminates the connection while the communication between the APIM service and the backend was still underway.

Resolution:

In order to isolate the source of the issue and resolve the same, the scenario would require collection of network traces from the underlying VMs/nodes hosting the APIM service while the issue is being reproduced and then analyze the traces for establishing the point of failure.

Implementing retry logic may help to some extent if the frequency of the issue is highly rare.

Error Code: 501

Scenario 1: Not Implemented

Symptom:

Sometimes, you can observe API requests fail with HTTP 501 errors with either of the below error messages highlighted under the errorMessage column in the diagnostic logs:

NOTE: This is not an exhaustive list and the error message would depend on the actual cause:

“Header BPC was not found in the request. Access denied.”
“Unable to match incoming request to an operation.”
“Header RegionID was not found in the request. Access denied.”

Cause:

This is not a rarely observed error with the usage of APIM services.

The above HTTP server error response code means that the server does not support the functionality required to fulfill the request.

In APIM terms, if the client makes a request to the server but the server finds the request as inappropriate since it does not support the feature/method to process the request, then it could return a 501 response to the caller.

Reference: https://www.checkupdown.com/status/E501.html

The server returning the 501 response in this scenario would be the

Backend if the BackendResponseCode in the logs is 501. APIM would return the same response to the client.
APIM service if the ResponseCode is 501 and BackendResponseCode is either blank or 0 in the diagnostic logs.

Resolution:

In case it’s the APIM service which returns a 501 response and not the backend, a very popular occurrence is where APIM logs the following error message – “Unable to match incoming request to an operation” for which both the API configuration within the APIM service as well as the request formation and invocation processes have to be reviewed at client-side as per the scenario.

Or there are also possibilities where the 501 error code is being returned by a policy effect that is being evaluated during request processing. If that is the case, you would find the corresponding policy name highlighted under the “ErrorSource” column in the diagnostic logs.

Resolution:

The best option in such scenarios is to collect Ocp-Apim Trace which would retrieve detailed request processing details and assist isolating the point of failure.

Error Code: 502

Scenario 1: Bad Gateway

Cause/Resolution:

APIM services forwards a 502 Bad Gateway response to the client in case of Backend Connection Failures.

Hence, the troubleshooting and debugging remain the same as the Backend Connection Failures section documented above and is dependent on the details observed under the “ErrorMessage” column in the diagnostic logs.

The most commonly found error message logged by APIM for a 502 response is “The remote name could not be resolved”

Error Code: 503

Scenario 1: Service Unavailable

Symptom:

Sometimes, you can observe API requests failing with HTTP 503 errors and the error message indicating that the Service is Unavailable.

Below is a sample error message observed on Postman while attempting to invoke an API

Cause:

503 responses are mostly returned by the backend servers amongst popular occurrences.

However, APIM services also return a 503 response to the client even before the request is forwarded to the backend in scenarios where there are certain policy effects being applied to the incoming request before forwarding it to the backend and the request is terminated due to the application/evaluation of the inbound policy effect.

Resolution:

Verify the “ErrorSource”, “ErrorReason” and “ErrorMessage” columns in such scenarios and proceed accordingly.

Error Code: 504

Scenario 1: Gateway Timeout

Cause/Resolution:

Below are some of the popular scenarios where APIM services return a 504 response to the client:

Scenario 1: The APIM service has waited too long to establish a connection with the backend server but the backend is not available or responding.

The troubleshooting performed remains the same as that of troubleshooting Backend Connection Failures highlighted above.

In the diagnostic logs, specifically look out for the sub-component time values and the columns “ErrorReason” and “ErrorMessage” in order to isolate the source of the issue.

Scenario 2: The backend service is taking too long for request processing leading to the APIM service terminating the connection. In such scenarios, you can observe under the diagnostic logs that the “BackendTime” is high when compared to the total time taken for request processing and consumes most of the total time.

There are 2 possible solutions for mitigating this issue:

Increase the timeout value of the APIM service under the <forward-request> policy such that it is in tally with the average time taken by the backend for request processing.
Reference: https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#ForwardRequest
Improve backend performance by reducing the response time.

Scenario 3: The timeout value configured for the APIM service within the <forward-request> policy is low.

Popular mitigation step is to Increase the timeout value of the APIM service under the <forward-request> policy section such that it is in tally with the average time taken by the backend for request processing.

NOTE: For APIM API request processing, the default timeout value imposed by APIM services is 300 seconds/5 minutes.

The default timeout value can be increased using the forward-request APIM policy - https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#ForwardRequest

For "timeout", the maximum value can be set to any valid integer, but as the above documentation states, the real maximum value is going to be around 240 seconds since values greater than 240 seconds may not be honored as the underlying network infrastructure can drop idle connections after this time.

Reference: https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#attributes-1

[UI Only] Event Trigger Renamed to Storage Event Trigger

ChenyeCharlieZhu — Tue, 02 Mar 2021 03:05:28 GMT

As we public preview the new Custom Event Trigger, that processes and responds to Custom Topics in Event Grid, we are making one minor change to the beloved Event topic: we are renaming the trigger to Storage Event trigger, to better convey its use cases and capabilities.

Storage event trigger kick offs pipelines based on events such as the arrival or deletion of a file in your Azure Storage account. The trigger supports both Azure Data Lake Storage Gen2 and General-purpose version 2 storage accounts.

To create a Storage event trigger, in ADF UI portal, select Storage event in the trigger type drop down menu

Similarly, the monitoring tab is renamed to Storage Events under Trigger run monitoring page

3 Key points for renaming:

The renaming only impacts UI experience: in that instead of selecting Event Trigger, customers should select Storage event trigger
Renaming has no impact on existing triggers. Backward compatibility is guaranteed
Renaming has no impact on JSON definitions, or SDK usage. For JSON definition, trigger type remains "BlobEventsTrigger". SDK and JSON editing users will not be impacted by this change

Delivering an even better Redis experience on Azure

kteegarden — Tue, 02 Mar 2021 02:41:36 GMT

As ever more applications are built to be cloud native, services like Redis are essential to enable these applications to perform and scale under heavy loads. To allow developers to utilize the speed and flexibility of Redis without the hassle of operation, Azure offers Azure Cache for Redis, a fully managed Redis service. A third-party benchmark recently showed that Azure Cache for Redis can improve latency and throughput performance by up to 800% when added to existing Azure architectures. To build on this powerful technology, we announced an innovative collaboration with Redis Labs almost a year ago to bring their Redis Enterprise software to Azure as a part of Azure Cache for Redis. Customers both large and small have been excited to try the expanded capabilities during the preview, and developers have found novel ways to solve their application challenges with the offering. Today, we’re proud to announce the general availability of the Enterprise and Enterprise Flash tiers of Azure Cache for Redis.

What’s in the box?

The new Enterprise offerings enhance and expand the range of use cases for Redis today. Redis modules from Redis Labs, like RediSearch and RedisTimeSeries, enable new use-cases for Redis such as real-time search and IoT data ingestion. At the same time, the offering also improves your existing Redis experience by making caches larger, more resilient, and capable of being distributed around the globe. The powerful features available include:

Active Geo-Replication (in Preview)
Higher availability—architected for 99.99% with zone redundancy, and 99.999% with active geo-replication.
Redis Modules, including
- RediSearch
- RedisBloom
- RedisTimeSeries
The latest version of Redis—Redis 6.0
Redis on Flash, using both DRAM and NVMe storage to enable cache sizes up to 13TB at a lower price per GB.

If you currently use Redis Enterprise on-prem, this offering allows you to enjoy many of your favorite features in a native Azure solution. Streamlined billing, familiar security and monitoring tools, and the ability to use your Azure spend commitment are all included. Even better, support for the Enterprise offering on Azure is backed all day, every day by the Microsoft support team, who have a direct line to the experts at Redis Labs if additional assistance is needed.

Active Geo-Replication

New in the Enterprise offering is a much-requested upgrade: the ability to geo-replicate data across caches in an active-active configuration. Now in preview, this feature allows data to be written locally in more than one region, with changes automatically replicated to and merged with other regions. Active geo-replication enables you to create a worldwide distributed cache with local latency access for users around the globe. This feature opens many exciting possibilities:

One key application is handling user sessions across regions. A huge advantage of Redis is the blazing-fast latencies gained from accessing data in-memory. If a user is far away from the data center holding the cache, however, this advantage is limited due to network latency. With active geo-replication, user session data can follow a user without complicated data management on the backend. The data is simply duplicated to the Redis instance in the closest data center, with all changes synchronized automatically.

Another important use case is with applications that are distributed worldwide. Active geo-replication greatly simplifies the data layer by reducing the need to manage geographies. For instance, a mobile game might have a worldwide leaderboard. Instead of developing infrastructure to share and rank scores between regions, high scores from each user can simply be written to a Redis sorted set that is distributed across regions worldwide. Through conflict-free resolution in active geo-replication, scores will be ranked seamlessly.

Increased Availability

One significant advantage of active geo-replication is that it makes a Redis deployment substantially more resilient to single-region failures. This, combined with the option to deploy Redis across multiple availability zones in a single region, provides two additional high-availability options. Deploying across availability zones gives up to 99.99% availability, while active geo-replication is designed for up to 99.999% availability—less than six minutes of downtime per year. This increased resiliency is essential to many retail and financial services customers who rely on Redis for inventory or pricing systems.

Redis Modules + Redis 6.0

The Redis Enterprise offering on Azure doesn’t just boost geographic distribution and availability, however. It also includes powerful features that enable new use cases. With the introduction of Redis 6.0, Azure Cache for Redis users gain access to the Redis Streams data type for the first time. Streams can be used to implement messaging systems, allowing Kafka-like functionality where clients can intelligently consume items from the stream. Three Redis Modules are additionally supported: RedisBloom, RediSearch, and RedisTimeSeries:

Customers like SitePro have already started using these highly-effective modules in their workflows, for example using RedisTimeSeries for IoT data ingestion:

"We are extremely excited about the added functionality in the Azure Cache for Redis, Enterprise Tiers. We know, love, and have used Redis for years as a key component in our industry leading real-time IoT control & monitoring platform. The Enterprise tiers allow us to do more with Redis by leveraging the RedisTimeSeries module to support data collection and analytics from hundreds of thousands of IoT sensors. "

-CEO and President

Learn More

Interested in learning more? Watch the session at Microsoft’s Ignite conference for a deeper dive and a demo of active geo-replication, and read the blog from Redis Labs.

Want to go ahead and give the new features a try? Read the documentation, and start your free Azure trial today.

What’s new in Azure AD at Microsoft Ignite Spring 2021

Alex Simons (AZURE) — Mon, 01 Mar 2021 23:00:00 GMT

Howdy folks,

It’s that special time of year with another digital edition of Microsoft Ignite on the horizon. We know that security is top-of-mind for you and your business leaders, maybe now more so than ever. So we’re excited to share several Azure AD announcements that will help you strengthen your Zero Trust defenses in this current era of hybrid work. We’ll be updating our key news on Tuesday morning as Microsoft Ignite starts, so please watch our Microsoft Security blog for further announcements.

Once you’ve checked that out, be sure to tune in to Azure Active Directory: our identity vision and roadmap airing first at Wednesday, March 3^rd at 5:00pm PT, delivered by Joy Chik, as she shares a deeper dive on how Azure AD helps you maximize control while enabling a seamless and secure user experience. Joy will be joined by a team of our identity expert to show off cool demos and share best practices to strengthen your authentication, simplify onboarding, and secure access to all your apps.

Please also join our experts for a live Q&A where they will answer your burning questions on our identity announcements, tips for deploying secure passwordless solutions, and Zero Trust as the proactive approach to cybersecurity.

No matter where you are in the world, I hope you will join us through our live and pre-recorded sessions. Join the conversation on Twitter and LinkedIn with the hashtag #MSIgnite.

Additional technical deep dive sessions available starting Tuesday

Go passwordless | Hands-on tour in Azure AD with FIDO2 keys and Temporary Access Pass - watch
Taking identity and privacy to a new level – watch
Prevent attacks by protecting your applications with Azure Active Directory – watch
Winning Azure Active Directory strategies for identity, security, and governance – watch
Zero Trust – The proactive approach to cybersecurity – watch

Looking for more ways to engage with our identity content and experts?

Visit the Connection Zone where various engagement opportunities will help deepen your knowledge and skills.

Compete and win free certification exams while building your expertise by participating in Cloud Skill Challenges
Tune into Plan implement and administer conditional access, a Learn Live session which will highlight how to plan and implement security defaults, test, and troubleshoot conditional access policies implement application controls and session management as well as how to configure smart lockout thresholds.
Want to have your questions answered by a Microsoft Professional? Visit One-on-one Consults to schedule a 45-minute consultation where you can engage directly with an identity expert.

Best regards,

Alex Simons (Twitter: @alex_a_simons)

Corporate Vice President Program Management

Microsoft Identity Division

AzureRM will retire by 29 February 2024

dcaro — Mon, 01 Mar 2021 22:32:53 GMT

Can you remember 2015? Apple launched the Apple Watch, Microsoft launched Windows 10, and we announced AzureRM v1.0!

After years of service and coexistence with its replacement, the time has come to share the next steps we are taking with AzureRM.

Looking back

In 2018, we introduced a new generation of PowerShell modules named “Az”, bringing several advantages:

Based on .NET Standard library for cross-platform execution.
Addressed customer feedback about the length of commands.
Reduced inconsistencies between cmdlets and modules.

After two years of existence and continuous improvements, the Az PowerShell modules feature the following benefits:

Security and stability
- Token cache encryption
- Prevention of man-in-the-middle attack type
- Support authentication with ADFS 2019
- Username and password authentication in PowerShell 7
Support for all Azure services
- All generally available Azure services have a corresponding supported Az PowerShell module
- Multiple bug fixes and API version upgrades since AzureRM
New capabilities
- Support in Cloud Shell and cross-platform
- Can get and use access token to access Azure resources
- Cmdlet available for advanced REST operations with Azure resources

We are now announcing that the AzureRM PowerShell module will retire by 29 February 2024.

If you are still using AzureRM modules, we advise you to migrate to Az at your earliest convenience.

How do I migrate?

When we talked with customers, the effort needed to migrate scripts based on AzureRM to Az was one of the main blockers.

We provide a toolkit comprised of three options to help you migrate to Az:

A PowerShell module to convert your scripts automatically.
A compatibility mode with the “Enable-AzureRmAlias” cmdlet allowing you to run AzureRM scripts with Az modules.
A VSCode extension if you want to perform the migration of your scripts with an IDE.

The following page has all the resources and technical information to help you migrate your scripts to Az: https://docs.microsoft.com/powershell/azure/migrate-from-azurerm-to-az

Open an issue on GitHub if you encounter problems with the migration toolkit.

Products and services using AzureRM

Some products and services have dependencies on the AzureRM modules. We are working closely with them to provide you with a path forward.

Next steps

We encourage you to start your migration as soon as possible and share with the community best practices that you may have, including tips and tricks.

The entire team is listening to your feedback and welcomes issues and contributions.

For issues on the migration toolkit: https://github.com/Azure/azure-powershell-migration
For best practices sharing: https://github.com/Azure/azure-powershell/discussions

And as always, you can reach out to us via Twitter @azureposh

Universal Print ready printers by Epson

Epson_UniversalPrint — Mon, 01 Mar 2021 21:00:54 GMT

In September 2020, we announced that we are working with Microsoft on Universal Print integration. Epson is happy to share that we are ready to release Epson printers with built-in support for Universal Print from Microsoft.

Our Universal Print ready support is available by updating firmware according to the list of models below:

Support starting end of March 2021:

(Japan) PX-M7080FX, PX-M7090FX, PX-S7090X
(Other regions) WF-C878R, WF-C879R, WF-C878RB, WF-C879RB

Support starting May 2021:

(Japan) LX-10050MF, LX-10050KF, LX-7550MF, LX-6050MF
(Other regions) WF-C20600 Series, WF-C20750 Series, WF-C21000 Series

- Epson Universal Print

February Project Update Blog

Microsoft Project Team — Mon, 01 Mar 2021 23:57:50 GMT

Microsoft Project Trivia!

We’re starting trivia this month to help people learn more about Microsoft Project & its history. Leave your guesses to these questions in the comments & check back next month to see if you were right!

Question: What year was Microsoft Project first released?

Bonus: How many Windows applications did Microsoft release before Project?

Reimagine Project Management with Microsoft

Microsoft Project is hosting a free digital event to help our users learn more about how to leverage Project, Microsoft Planner, and Dynamics 365 Project Operations to best manage your projects – both big and small!

This includes 6+ hours of on-demand demos and product walkthroughs to help you discover and leverage new features and learn best practices to keep your projects on track. Get tailored guidance directly from the engineering teams behind these products.

This event goes live on March 18^th, 2021. You can learn more here.

New Features

Flexible Deployment for Project for the web ~ This feature is now available to all users! Create different environments for Project for the web based on organization, business unit, or team needs. Check out our blog post to learn more about this new experience
Filter on Project Home ~ Use a search bar to easily find your projects on Project Home.

Upcoming Features

Export Timeline to PDF ~ Print your timeline information to a PDF so you can share your project schedule with external stakeholders.
Project Accelerator ~ The Project Accelerator allows users to leverage Power Apps to manage the entire lifecycle of your projects, including demand management, financial goals, team development, and artifact tracking.
Assign tasks to non-group members ~ Assign a task to someone without automatically adding them to your project group.
Effort in the Project details pane ~ See overall effort on your project directly in the Project details pane, including the total effort, completed effort for your project, and remaining effort on your whole project.

FAQ:

This section includes questions we see frequently, either through the in-app Feedback button or from the comments of last month’s blog.

Q: What dependencies are supported in Project for the web?

A: Project for the web currently only supports Finish-to-Start dependencies. If you need additional dependencies, please submit feedback using our in-app “Feedback” button in the top-right corner of the product. This best helps us keep track of customer needs.

Q: Where are attachments stored in Project?

A: You can find all your attached files in your Team’s SharePoint library.

Note that you can't attach files to tasks in Project unless you have already shared your project to a group. You can do this by using the “Group members” button in the top-right corner of the product.

You can attach links to your tasks even before you add a group to your project.

We want to hear from you! If you have feedback, submit it by using the “Feedback” button in Project for the web. Make sure to include your email address so we can contact you directly with any follow up questions or comments. Your comments on our blog posts are also monitored, so let us know what you think about this or other articles.

Microsoft Endpoint Manager at Microsoft Ignite: March 2021 edition

Joe Lurie — Mon, 01 Mar 2021 19:52:06 GMT

Microsoft Ignite 2021: March edition is almost here! And here’s your guide to everything you’ll find that’s Microsoft Endpoint Manager related! And we mean EVERYTHING!

Jump to: Core sessions | On-demand sessions | Ask the Experts | Depth on demand | Endpoint management deep dives - Q&A in March

Microsoft Endpoint Manager continues to be the one product, that hub, to unify security, apps, access, compliance, and the end-user experience across your entire estate. And whether those devices are Windows devices, Android, iOS, iPad OS, Mac OS, whether they are used by information workers or are being used as kiosks, whether they are assigned to a single user or are configured as shared devices, and whether they are on-premises or remote – or any combination, Endpoint Manager can help keep your organization running smoothly, whatever the future brings.

If you are currently using Configuration Manager to manage your devices and haven’t moved to the cloud, or you’ve started that path to cloud management, or you are natively managing all of your endpoints with Microsoft Intune, now is the time to hear about everything new with Endpoint Manager- even since last September. If you haven’t already, register at https://myignite.microsoft.com and start building your schedule. You can click the session titles below and add them to your schedule (aka: digital backpack). Make sure you bookmark this post as we’ll be updating it each day with links to all our announcements, in-depth learning on demand, and all post-Ignite activities.

Here's what’s on the agenda, live and on-demand at Microsoft Ignite 2021: March edition!

Core sessions

Spotlight on the future of work

Start the event with Modern Work CVP Jared Spataro, as Jared talks about flexible work, and how Microsoft is empowering people to work from home, on the go, and at the office.

The hybrid workplace – Tuesday, March 2 | 9:45AM-10:15AM PST
The hybrid workplace – Tuesday, March 2 | 7:15PM-7:45PM PST

Engineer to engineer: let's talk Windows!

After Jared’s keynote, even though this is a Windows session, you need to join our Windows CVP Aidan Marcuss with his guests (from left to right) Gabe Frost (Windows), Ramya Chitrakar (Endpoint Manager), and David Weston (security) for a fun conversation about all of the great features and capabilities we’ve built into Windows, security, and management based on YOUR FEEDBACK AND SUGGESTIONS. And how we’re carrying those further to help prepare your organization for the future.

We’ll have live Q&A throughout the session, too, so pick the time that works best for you and add it to your backpack!

After the Wednesday. March 3rd "Let's talk Windows" session, around 4:30 PM PST, Steve Dispensa, Rob Lefferts, and Rudra Mitra will also join the live anchor desk to talk about the convergence of endpoint management and security so keep an eye on the MyIgnite main channel!

On-demand sessions

After or in between core sessions, we have also great sessions that you can watch or save to your digital backpack to watch on demand any time:

Ask the Experts

We offer live Q&A during the core sessions and in-between segments, but if you miss those, we also have our SMEs taking your questions live via Teams Live Events! Come join our diverse group of engineers, support, and other product experts as we discuss and answer your questions live! Space is limited so make sure you click your desired session to RSVP!

Ask the Experts: Zero Trust – The proactive approach to cybersecurity
Wednesday, March 3 | 11:00AM-11:30AM PST
Ask the Experts: Securing your endpoints with Defender and Microsoft Endpoint Manager
Wednesday, March 3 | 2:30AM-3:00AM PST

Microsoft Edge

If you have specific questions around deploying and managing Microsoft Edge, join Colleen Williams and members of the Edge engineering team on Tuesday, March 2 | 11:30PM-11:59PM PST for Ask the Experts: Microsoft Edge: Top reasons why customers love Microsoft Edge

Windows & Devices

If you are also looking for advice on deploying, managing, and servicing Windows & Devices, we have lots of goodies for you! First, we’ll offer live Q&A during the fireside chat with Panos Panay and Roane Sones on Tuesday, March 2 | 11:30AM PST. And if that time doesn’t work for you, keep an eye on the session builder as we’ll be replaying this session later in the day.

Then check out the special Ask the Experts sessions: Let’s talk Windows, which we’ll have live at two timeslots:

And for more session on Windows & Devices, check out our blog post here: Windows & Devices at Microsoft Ignite 2021: March edition

Depth on demand

And finally, we know you come to Microsoft Ignite for deep, technical learning, and to build your technical skills. Like we did in September, we have a breadth of deep dive videos on the Video Hub on Tech Community. These are direct from our engineers and product experts!

What's new in Windows management with Microsoft Endpoint Manager – Matt Call & Mike Danoski
What's new in iOS/macOS management with Microsoft Endpoint Manager – Arnab Biswas & Anya Novicheva
What's new in Android management with Microsoft Endpoint Manager – Priya Ravichandran
Microsoft Defender + Tunnel: simple, secure mobile connectivity – Tyler Castaldo & Shravan Thota
Enabling frontline workers with Microsoft Endpoint Manager – Chris Baldwin & Cory Ferro
Application reliability in Endpoint analytics – Zach Dvorak

Endpoint management deep dives – Q&A in March

Of course, you’ve already heard about our Microsoft Endpoint Manager deep dives and Q&A events that are happening after Ignite! For more information on our Endpoint Management Acceleration Day, our 1:1 consults, and Ask the Experts Q&A, check out the Microsoft Endpoint Manager Blog!

Learn more

If you are looking for more of a prescriptive learning path, we’ve got some learning guides to help you manage and protect devices and apps with Endpoint Manager.

And, finally, here are some additional guides to help you maneuver around all that is Microsoft Ignite 2021: March edition.

Stay informed

Follow us at @MSIntune for the latest announcements and updates on Microsoft Endpoint Manager throughout Microsoft Ignite and beyond.

* Timing subject to change Refer to the MyIgnite session catalog for the latest times and updates.

Remotely run DDL and DML in Synapse from a SQL Managed Instance using Linked Servers

pedrorebelo — Mon, 01 Mar 2021 19:18:19 GMT

Imagine you have a SQL Managed Instance and a SQL Dedicated Pool. Now imagine that for some reason you need to run a SELECT, INSERT, UPDATE or even a CREATE TABLE on your SQL Dedicated Pool but executed from your SQL Managed Instance. In case you didn't know, you can do this using Linked Servers.

For those unfamiliar with Linked Servers, they enable the instance in which you create them to read data from remote data sources and also to execute commands against remote database servers.

You can setup Linked Servers using SSMS or you can use T-SQL as well. Here's a short example of how to setup a Linked Server from a SQL Managed Instance to Azure Synapse Analytics SQL Dedicated Pool, using T-SQL.

First, we need to start by creating the Linked Server on our SQL Managed Instance, and configuring it to point to our SQL Dedicated Pool:

-- Configure the linked server on your SQL Managed Instance EXEC sp_addlinkedserver = 'yourLinkedServer', -- specify here the name you want for your linked server @srvproduct = N'', = 'MSOLEDBSQL', -- recommended OLE DB provider @datasrc='yourworkspacename.sql.azuresynapse.net', -- add here your SQL Dedicated Pool server name @catalog = 'yourDatabase'; -- add here your SQL Dedicated Pool database name as initial catalog (you cannot connect to the master database)

After having created the Linked Server, we need to define the credentials with which we want to connect to your SQL Dedicated Pool:

-- Add credentials and options to this linked server EXEC sp_addlinkedsrvlogin @rmtsrvname = 'yourLinkedServer', @useself = 'false', -- so we can specify below which user and password to connect with @rmtuser = 'yourLogin', -- add here your login on your SQL Dedicated Pool @rmtpassword = 'yourPassword'; -- add here your password on your SQL Dedicated Pool

Lastly, by default Linked Servers are not able to make stored procedure calls so we need to enable a setting:

-- Enable RPC to the given server EXEC sp_serveroption = 'yourLinkedServer', @optname = 'rpc out', @optvalue = true;

Once you've successfully executed all the previous steps, you can now remotely run T-SQL commands on your SQL Dedicated Pool directly from your SQL Managed Instance.

Executing T-SQL via Linked Servers requires we declare the objects we are referencing with a 4-part name in the format of:

-- Query the data using 4-part names SELECT * FROM yourLinkedServer.yourDatabase.yourSchemaname.yourTablename;

However, if you try to run DDL or DML (other than SELECT) using this 4-part name you'll get error messages as follows:

INSERT INTO yourLinkedServer.SampleSQL.dbo.Employee VALUES(1);

Msg 46706, Level 16, State 1, Line 29
Cursor support is not an implemented feature for SQL Server Parallel DataWarehousing TDS endpoint.

CREATE TABLE yourLinkedServer.SampleSQL.dbo.t1(col1 INT NULL);

Msg 117, Level 15, State 1, Line 31
The object name 'yourLinkedServer.SampleSQL.dbo.t1' contains more than the maximum number of prefixes. The maximum is 2.

A way to get around this is by running the DDL and DML in the format of:

EXEC ('DDL/DML') at yourLinkedServer

So for two previous examples, the T-SQL would be:

--to create a table EXEC ('CREATE TABLE dbo.t1(col1 INT NULL)') at yourLinkedServer;

--to insert a row into the table EXEC ('INSERT INTO dbo.t1 VALUES(1)') at yourLinkedServer;

Hope you find this useful!

WinObj v3.01

lukekim — Mon, 01 Mar 2021 18:43:45 GMT

WinObj v3.01

This minor update to WinObj fixes a crash on exit.

Get insights on application reliability and device restart frequency with Endpoint analytics

Mayunk Jain — Mon, 01 Mar 2021 18:13:57 GMT

Well-running apps are critical to a great endpoint experience. Users are never happy when an app crashes or a device restarts and their flow is broken. Worst case scenario, they may even lose the work that they just did. Service desks help solve these problems, but they only have visibility into the ones that people report, not the ones where someone just suffers in silence. What is needed is greater visibility into these issues across the entire organization. The two new Microsoft Endpoint Manager features in Endpoint analytics give IT admins the visibility and insights needed to help improve this experience.

Both of these features -- a new application reliability report and new data for reboot frequency in the existing startup performance report -- reflect our commitment to the user experience because users are happier when work isn’t slowed down and IT can focus on helping drive the business when there are fewer support calls.

The application reliability report, available in preview and rolling out over the next few days, gives IT visibility into which desktop applications are hampering the user experience, due to frequent crashes and because they are broadly deployed to users. The report also offers suggestions for improving app performance and alerts IT to issues that users may not have created tickets for yet despite growing frustration, which can help decrease the number of support tickets in the long run.

How to use the application reliability report

If your devices are Intune managed or co-managed, you don't need to do anything to see the application reliability report. It sits alongside the rest of the Endpoint analytics reports in the Microsoft Endpoint Manager admin center console. If you have devices enrolled through tenant attach, upgrade to Configuration Manger 2006 for this report to populate. On the Overview page is your app reliability score as well as a baseline score, which, by default, represents the median across all commercial organizations. This can help you determine issues unique to your environment—and potentially caused by poor configurations—versus more widespread issues.

Below that is a list of the apps most likely to have reduced user productivity during the previous 14 days. This considers not only crash frequency but also usage to help reduce noise, such as one-off applications crashing 100 times on a single device. On the right column are app reliability Insights and Recommendations prioritized by which are most likely to boost your score.

In the App performance tab is a list of all your organization’s apps, which can be sorted by app name, publisher, active devices, app reliability score, and mean time to failure, which is the average number of times the app can be used across the organization between crashes.

You can also see your organization’s application reliability performance by other pivots like model, and OS version deployed, as well as troubleshoot application reliability issues with individual devices. In device performance, each device is given a device app health score, based on how often applications crashed on that device during the previous 14 days. Clicking into each device gives you a timeline of app crash and app hang events so you know exactly when crashes occurred, which can help speed troubleshooting.

New insights into device restart frequency

To help improve the user experience even further, we have also enhanced the existing startup performance report. New insights on device restart frequency, also known as reboot frequency, will help you identify problematic devices because reboots break the user from their flow and should not be needed often.

To help you better understand the type of reboots that happens, we classify each them as either normal or abnormal. Normal restarts are those that go through the normal Windows shutdown process. These include: Windows update installations, which typically occur once a month; non-update shutdowns from users, typically to save battery power; and non-update restarts, which shouldn’t occur often beyond monthly patching.

In contrast, abnormal restarts are ones that haven’t gone through the normal Windows shutdown process and could suggest problems that need to be investigated further. There are also three categories for this type of restart.

Blue screens: This abnormal restart type is also called a stop error. Usually, less than two stop errors occur per device per year.
Long power button press: This restart happens when a user holds down the power button to force a restart. These shutdowns are typically even less frequent than blue screens.
Unknown: These are shutdowns that don’t fit either of the two other abnormal shutdown types. Microsoft will continue to research these to determine if additional categories should be added.

The restart frequency feature is now in preview and is rolling out to everyone over the next few days regardless of how you’ve configured the telemetry level or Windows Error Reporting in Windows Diagnostics.

Check out the rest of Endpoint analytics

There is so much more to Endpoint analytics than what we just covered. There are also reports on recommended software that help advise organizations on software that can help optimize OS and Microsoft versions for the best user experience. There is also the proactive remediations feature, giving you the power to automatically detect and remediate some of the top issues hampering users’ productivity — sometimes even before users realize something is wrong — while also helping reduce helpdesk call volume.

More information and feedback

For more information on getting started, visit the Endpoint analytics documentation, and check out the FAQ. Tweet your questions or feedback using the hashtag #MEMpowered and if you have an idea for a new feature, add it to UserVoice.

Please follow @MSIntune on Twitter

(This blog is co-authored with Zach Dvorak, Senior Program Manager, and Anthony Smith (A.J.) , Senior Product Manager)

10 Reasons to Love Passwordless #8: You won’t get phished!

Maria_Puertas_Calvo — Mon, 01 Mar 2021 17:14:02 GMT

In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). Today, Maria Puertas Calvo, data scientist for Microsoft Identity, continues the series.

Hi!

I am honored to be among such a fine group of people bringing you the goodness of passwordless authentication. Today, I’m going to talk about how passwordless dramatically reduces the risk of phishing attacks against your organization. Let’s begin!

Phishing is a form of social engineering in which a victim is tricked into giving their credentials to an attacker. It remains one of the main points of entry into organizations by cybercriminals. The attacker generally presents the user with a sign-in page that spoofs the real authentication page and hopes that the victim enters their credentials. Even long complex passwords won’t help you in a phishing situation if you enter them exactly right unknowingly on a phishing site.

Passwords are the most commonly phished credentials, but some sophisticated attackers go one step further and perform real-time phishing attacks for multifactor authentication credentials, luring the victim to provide the one-time password (OTP) sent to their email or phone. From September 2019 to September 2020, Microsoft Defender for Office blocked 1.6 billion phishing emails linking to around 2 million phishing URL sites. In 2020, phishing incidents rose by 220% compared to the yearly average during the height of global pandemic fears.

OK, you get the point. Phishing is bad and scary, but how does passwordless protect your organization from phishing attacks?

To start, most phishing sites are designed to collect passwords. If you normally don’t use a password to log in, you will be immediately suspicious if the site is asking for it. Even if you think the site is legitimate, you will likely not know your password because you never use it! Sites that phish other credentials, such as OTPs sent to your phone app or hardware token are much less prevalent, so if you choose to go passwordless say for example with the Authenticator app for its amazing usability, you’ll also get enhanced security.

But the benefits don’t end there. Two of our main passwordless authenticators are FIDO2 based - Windows Hello for Business and security keys. If you want to make it extremely hard for your users to get phished, these two authentication methods provide phishing-resistant authentication. How? – you ask. Phishing sites rely on humans not noticing that the domain asking for their credential is not the one they registered that credential with. With FIDO, this problem is avoided because the server domain is used by the client (i.e. browser) to ask the authenticator (i.e. security key) to sign the login request. What this means in simpler words is that only when the site visited is foobar.com the authenticator will provide a credential that’s valid for foobar.com. If an attacker creates foodbar.com and tries to phish the user credentials, the authenticator will sign a message that won’t be accepted by foobar.com, hence making phishing impossible.

So that’s it, one more reason to love passwordless. Go passwordless and drive cybercriminals out of business by keeping them out of your business.

Learn more about Microsoft identity:

Return to the Azure Active Directory Identity blog home
Join the conversation on Twitter and LinkedIn
Share product suggestions on the Azure Feedback Forum

Check out the other posts in this series:

What's New in Passwordless Standards, 2021 edition!
10 Reasons to Love Passwordless #1: FIDO Rocks
10 Reasons to Love Passwordless #2: NIST Compliance
10 Reasons to Love Passwordless #3: Why biometrics and passwordless are a dream combination
10 Reasons to Love Passwordless #4: Secure your digital estate, while securing your bottom line
10 Reasons to Love Passwordless #5: The Ease of Use and Portability of Security Keys
10 Reasons to Love Passwordless #6: The Passwordless Funnel
10 Reasons to Love Passwordless #7: Authenticator app for easy phone sign in

PolyBase error - 100001;Failed to generate query plan.

NathanMSFT — Mon, 01 Mar 2021 16:46:54 GMT

Problem

We've seen several cases come in lately where customers have been trying to use PolyBase feature and encountering "Failed to generate query plan" error. Depending on which command you run, the error will display differently.

CREATE EXTERNAL TABLE or CREATE EXTERNAL DATA SOURCE command fails with:

Msg 110813, Level 16, State 1, Line 21

100001;Failed to generate query plan.

SELECT from an existing external table fails with:

Msg 7320, Level 16, State 110, Line 1

Cannot execute the query "Remote Query" against OLE DB provider "MSOLEDBSQL" for linked server "(null)". 100001;Failed to generate query plan.

In either of the above scenarios, if you open the <ServerName>_<InstanceName>_DWEngine_errors.log, you'll see an error like the following:

{datetime} [Thread:<ThreadID>] [ServerInterface:InformationEvent] (Info, Normal): Starting processor ExecuteMemoProcessor. [Session.SessionId:SID##][Session.IsTransactional:False][Query.QueryId:QID##]

{datetime} [Thread:<ThreadID>] [EngineInstrumentation:EngineQueryErrorEvent] (Error, High):

Microsoft.SqlServer.DataWarehouse.Common.ErrorHandling.UnexpectedStatementException: 100001;Failed to generate query plan. ---> Microsoft.SqlServer.DataWarehouse.Sql.Optimizer.MemoDeserializer.UnknownElementException: Unknown element DatabaseUser is found.

at Microsoft.SqlServer.DataWarehouse.Sql.Optimizer.MemoDeserializer.MemoDeserializer.ShowMemoXMLState.HandleState(XmlReader reader, MemoDeserializer deserializer)

at Microsoft.SqlServer.DataWarehouse.Sql.Optimizer.MemoDeserializer.MemoDeserializer.Deserialize(XmlReader reader)

at Microsoft.SqlServer.DataWarehouse.Sql.Optimizer.MemoProvider.AbstractMemoGenerator.DeserializeMemoFromXML(SqlXml memoXml, ExecutionEnvironment executionEnvironment)

--- End of inner exception stack trace ---

at Microsoft.SqlServer.DataWarehouse.Sql.Optimizer.MemoProvider.AbstractMemoGenerator.DeserializeMemoFromXML(SqlXml memoXml, ExecutionEnvironment executionEnvironment)

at Microsoft.SqlServer.DataWarehouse.Sql.Statements.OptimizedStatement.GenerateMemo(IMemoProvider memoProvider, IQPTelemetry queryProcessingTelemetry, Boolean isLocalShellSession)

at Microsoft.SqlServer.DataWarehouse.Engine.Utils.EventUtils.PublishApplicationEventAndExecute(ApplicationEventTrigger beginTrigger, ApplicationEventTrigger endTrigger, ApplicationEventTrigger errorTrigger, ApplicationEventTrigger cancelTrigger, PublishedEventPayloadDelegate payload, Action callback)

at Microsoft.SqlServer.DataWarehouse.Engine.Processors.ExecuteMemoProcessor.OnExecuteRequest()

at Microsoft.SqlServer.DataWarehouse.Engine.Processors.AbstractProcessor.OnProcess()

at Microsoft.SqlServer.DataWarehouse.Engine.Processors.AbstractProcessor.OnExecute() [Session.SessionId:SID##][Session.IsTransactional:False][Query.QueryId:QID##]

You may also observe a memory dump file (SQLDmpr*.dmp) created in SQLServerInstallDrive:\Program Files\Microsoft SQL Server\MSSQL15.<InstanceName>\MSSQL\Log\Polybase\dump.

The problem has only been observed in SQL Server 2019 on Windows.

Cause

The problem occurs when SQL Server Engine has been patched to at least Cumulative Update 8 (15.0.4073) and the PolyBase feature hasn't been updated to the same build.

The most common way of encountering this problem is to already have installed SQL Server 2019 and patched to CU8 and then subsequently add the PolyBase feature. When you add a feature to an existing SQL Server instance that has been patched, the feature added is still at the original RTM version. This isn't specific to PolyBase feature, but any feature added to an existing instance that has been patched. This would lead to problem with being unable to create the external table.

In order to get the error when selecting from the external table, you must have already successfully created the external table. We've seen this scenario when there's been some problem applying Cumulative Update 8 to the PolyBase feature, but installation of CU8 to the SQL Engine was successful. In scenarios like this, we've seen customers have uninstalled the PolyBase feature and reinstalled it, but then failed to subsequently apply CU8 to PolyBase feature.

How to Confirm

You must determine the SQL Server Engine version and PolyBase Engine version and compare.

Determine SQL Server Engine version.

This can be done a few different ways.

Check errorlog - at the top of the file errorlog (which you can find in SQLServerInstallDrive:\Program Files\Microsoft SQL Server\MSSQL15.<InstanceName>\MSSQL\Log) the first line in the file will show the version of SQL Server Engine. For example:

{datetime} Server Microsoft SQL Server 2019 (RTM-CU8) (KB4577194) - 15.0.4073.23 (X64)

Connect to SQL Server and run the query

SELECT @@VERSION as SQLEngineVersion

The output will look something like:

SQLEngineVersion

------------------------------------------------------------------------------------------------------------

Microsoft SQL Server 2019 (RTM-CU8) (KB4577194) - 15.0.4073.23 (X64)

Sep 23 2020 16:03:08

Developer Edition (64-bit) on Windows Server 2019 Datacenter 10.0 <X64> (Build 17763: ) (Hypervisor)

Determine PolyBase Engine version

PowerShell - if PolyBase Services are running, run the following command:

Get-Process mpdwsvc -FileVersionInfo | Format-Table -AutoSize

The output will look something like:

ProductVersion FileVersion FileName

-------------- ----------- --------

15.0.2000.5 2019.0150.2000.05 ((SQLServer).190924-2033) C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\Polybase\mpdwsvc.exe

PowerShell - if PolyBase Services aren't running, run the following command:

cd 'C:\Program Files\Microsoft SQL Server'

ls mpdwsvc.exe -r -ea silentlycontinue | % versioninfo | Format-Table -AutoSize

The output will look something like:

ProductVersion FileVersion FileName

-------------- ----------- --------

15.0.2000.5 2019.0150.2000.05 ((SQLServer).190924-2033) C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\Polybase\mpdwsvc.exe

If for some reason the two above examples don't work, you can use the original setup media and run SQL Discovery

Start SQL Server setup (setup.exe)
Click on Tools in left pane
Click Installed SQL Server features discovery report. It will generate a Setup Discovery Report that will look something like this:

Microsoft SQL Server 2019 Setup Discovery Report

Product	Instance	Instance ID	Feature	Language	Edition	Version	Clustered	Configured
Microsoft SQL Server 2019	MSSQLSERVER	MSSQL15.MSSQLSERVER	Database Engine Services	1033	Developer Edition	15.0.4073.23	No	Yes
Microsoft SQL Server 2019	MSSQLSERVER	MSSQL15.MSSQLSERVER	SQL Server Replication	1033	Developer Edition	15.0.4073.23	No	Yes
Microsoft SQL Server 2019	MSSQLSERVER	MSSQL15.MSSQLSERVER	PolyBase Query Service for External Data	1033	Developer Edition	15.0.2000.5	No	Yes
Microsoft SQL Server 2019	MSSQLSERVER	MSSQL15.MSSQLSERVER	PolybaseCore\PolybaseJava	1033	Developer Edition	15.0.2000.5	No	Yes
Microsoft SQL Server 2019	MSSQLSERVER	MSSQL15.MSSQLSERVER	Azul-Java-Runtime	1033	Developer Edition	15.0.2000.5	No	Yes

You can check KB4518398 - SQL Server 2019 build versions (microsoft.com) to see which ProductVersion value corresponds to which Cumulative Update.

Compare Versions

If the versions don't match and PolyBase Engine version is less than SQL Server Engine, and SQL Server Engine is at least 15.0.4073, then you have confirmed the problem is due to not having applied the same Cumulative Update to PolyBase feature.

Resolution

To resolve this issue, you need to apply the same Cumulative Update to PolyBase features that SQL Engine is already on.

Additional Information

In Cumulative Update 8 there was a change made to the XML memo that is sent from SQL Server Engine to PolyBase Engine. If the PolyBase Engine is on a build prior to CU8, it will be unable to "deserialize" the memo and throw this error because it cannot generate a query plan.

In general, any time any feature is added to an existing SQL Server instance that has been patched, you need to reapply the same patch to bring the feature to same build.

Azure Marketplace new offers – Volume 118

Christine_Alford — Mon, 01 Mar 2021 16:30:42 GMT

We continue to expand the Azure Marketplace ecosystem. For this volume, 101 new offers successfully met the onboarding criteria and went live. See details of the new offers below:

Applications
	AddPro Azure Managed Services: AddPro helps manage Microsoft Azure resources at resource group and subscription levels. AddPro will use delegated access to set up, configure, monitor, and operate services.
	AI-FI Demand Forecasting ML: Alithya Digital helps optimize supply chain material procurement and demand planning with AI analytics. You can more accurately predict future material demand by product category or store location with machine learning (ML) methods.
	AI-Powered Azure Automation as a Service: Dynapt Solutions offers this comprehensive automation, monitoring, and management solution for Microsoft Azure. This management platform helps take the grunt work out of managing your Azure usage.
	An EMR that replicates paper: Clinicea from Technolarity converts paper forms into a customized electronic medical record (EMR) that is classified based on its clinical significance. Built on Microsoft Azure, Clinicea creates an ongoing medical summary for each patient.
	ArchiveBox: This self-hosted internet archiving solution by Linnovate Technologies is written in Python 3. You feed it URLs of pages, and it saves them to disk in a variety of formats depending on the configuration and the content it detects.
	Azure Blob Connector for SAP: The CaRD Azure Blob ArchiveLink Connector for SAP uses Microsoft Azure containers as content repositories in SAP. You can save all your SAP-managed documents as attachments or documents in Azure.
	Azure Cost Optimization: Acuvate’s AI-driven managed services are designed to help you better predict and transform future outcomes, optimize Microsoft Azure spending, monitor AI-based anomalies, and build more intelligent IT environments.
	BIC For Payers: Score +: Score+ by Citiustech is a real-time quality performance platform to improve Healthcare Effectiveness Data and Information Set (HEDIS) scores. It is designed to give health plan providers the granular visibility and transparency they need.
	Birlasoft intelliOpen Solution: Leaders are looking for ways to rebuild safer workplaces. Birlasoft intelliOpen is an intelligent system for contactless screening, monitoring social distancing, and contact tracing without collecting any personally identifiable information (PII).
	BlueVoyant MDR for Azure Sentinel: BlueVoyant managed detection and response (MDR) for Microsoft Azure Sentinel combines the power of a SIEM tool with a security operations team to identify and remediate cyberattacks.
	ByteSave: TSG offers this simple tool for small and medium-sized businesses to back up and restore files or folders into Azure Blob Storage. This application is available in English and Vietnamese.
	CentOS 7.9: This pre-configured image by Cloud Whiz Solutions provides CentOS 7.9 on Microsoft Azure. CentOS Linux is a rebuild of the freely available sources for Red Hat Enterprise Linux (RHEL).
	CentOS 8.3: This pre-configured image by Cognosys provides CentOS 8.3 on Microsoft Azure. CentOS is a stable, predictable, manageable, and reproducible computing platform.
	CentOS 8.3 Cloud Ready: This pre-configured image by Cloud Whiz Solutions provides CentOS 8.3 on Microsoft Azure. CentOS Linux is a rebuild of the freely available sources for Red Hat Enterprise Linux (RHEL).
	Chartmuseum - Helm Chart Repository: ChartMuseum is an open-source Helm chart repository that is used in development, especially for continuous integration (CI) and continuous delivery (CD) in Kubernetes environments.
	Clinic Assist Software: This comprehensive clinic management solution by Assurance Technology consists of practice management and electronic medical records functions to support clinic operation, management, documentation, and compliance.
	Corvidae - A radically new approach to attribution: Corvidae unbundles marketing data silos, including Google Ads and Facebook marketing campaigns, and rebuilds your data. Corvidae deploys entirely in Microsoft Azure and can feed directly into Microsoft Dataverse.
	Cyren Inbox Security: Phishing, business email compromise, and fraud attacks are getting past existing email defenses. Delivered as a native cloud service, Cyren Inbox Security establishes a continuous and automated layer of security right in users’ mailboxes.
	Data Privacy Manager: This privacy management platform helps solve common General Data Protection Regulation (GDPR) problems. The platform design enables full control over personal data processing, ranging from data collection to data removal from all systems.
	Debian GUI Linux by Techlatest.net: This pre-configured image contains a Debian 10 GUI-based Linux desktop environment built by Techlatest.net. Debian is composed of free, open-source software, developed by the community-supported Debian Project.
	Dynasty - Information and Case Management: Available in Finnish and Swedish, Innofactor Dynasty is a certified public sector case management suite for municipal and state administration. It contains case, document, meeting, contract, decision, and information management modules.
	eGain Customer Engagement Suite on Azure: Delivering memorable customer journeys, the eGain Customer Engagement Suite provides a digital customer engagement omnichannel experience that is unified and personalized for the enterprise.
	eInsight CRM: Cendyn's platform provides marketing automation and guest intelligence for enterprise hotels, multi-property hotels, and multi-brand hotels. It consolidates, engages, and measures disparate data points about travelers throughout the guest journey.
	Email TeamMate by harmon.ie: Many organizations have rapidly rolled out Microsoft Teams during the pandemic. Email TeamMate brings an Outlook interface into Microsoft Teams for users to select and share Outlook emails within Teams conversations and chats.
	EmpowerIQ: Microsoft 365 User Adoption Service: Crayon US developed this self-service training portal to educate about the modern workplace tools and technologies that Microsoft 365 provides. With over 4,000 learning materials, you can benefit from personalized learning tracks.
	Eolementhe CC collaborative subtitling platform: Developed by Videomenthe for marketing, communications, HR professionals, journalists, and content creators, Eolementhe CC automates subtitling with human revision in 120 languages. This app is available in French, English, and Spanish.
	eSklep - Online store from home.pl: home.pl offers a complete store for online sales and business development. You can create your store without a sales commission and operate it from any device. This app is available only in Polish.
	FACEPLATE IIoT: FACEPLATE's platform provides advanced remote monitoring of discrete and process manufacturing through the Industrial Internet of Things (IIoT). FACEPLATE’s mission is to connect equipment, visualize information, and analyze efficiency.
	Genesys Engage Enterprise Contact Center: Engage is an omnichannel and customer engagement solution for large-scale Microsoft Azure customers. With Genesys Engage, you can unify voice and digital channels, self-service, work items, and inbound and outbound interactions.
	Handshakes App: Powered by proprietary data analytics technology, Handshakes provides real-time access to information on specific persons or companies. Map out relationship networks and uncover potential conflicts of interest.
	Health Hero Wellness Engagement: Health Hero Bot on Microsoft Teams allows teams of any size to create fun and engaging well-being activities and challenges that bring your team and peers together to receive activity points.
	Inno App: Revitalize and optimize your application portfolio with containers and Kubernetes. Mindtree helps you utilize cutting-edge DevOps, enabling app developers and IT operations to deliver business value with speed and innovation.
	Inspection Management: Available only in Russian, this app oversees preventive and repair work, displays the list of work to be completed by engineers, sends information about the work carried out at sites, and automates reporting.
	Kubernetes Event Exporter Helm Chart: This pre-configured container image from Bitnami provides Kubernetes Event Exporter as a Helm chart. Kubernetes Event Exporter makes it easy to export Kubernetes events to other tools, enabling custom alerts and aggregation.
	Learning Management System Mentor: Available only in Spanish, Mentor TM is OpenTec's learning and talent management system that helps you plan, distribute, monitor, and evaluate training processes in different modalities.
	Levridge Scale: This app can be used to accurately capture weight and grade factors while issuing scale tickets, with tickets issued to drivers or synchronized to Microsoft Dynamics 365 Finance in real time. This app is available in the United States and Canada.
	Managed Defender for Endpoint (SOC): Truesec adds leading cybersecurity competence, always-on monitoring, and elimination of false positives to Microsoft Defender for Endpoint. Truesec's Security Operations Center (SOC) as a service provides active threat monitoring.
	MedDream DICOM Viewer: MedDream is designed by Softneta to aid medical professionals in their daily decision-making processes. The DICOM Viewer is FDA-cleared for diagnostic use as a Class 2 medical device and can be installed in Microsoft Azure.
	mGrants - A Grants Management System on Power Apps: Based on MERP Systems’ experience with US federal agencies, state and local governments, and non-profit organizations, mGrants is an all-in-one solution for the grants process, from program initiation through awards management.
	Microsoft Teams Automation Solution: With the rapid adoption of Microsoft Teams, enterprises face the challenge of driving efficiency and governance for Teams. Cambay developed this solution on Power Automate, Microsoft Power Apps, and Azure Automation to drive workflow automation.
	Mission Critical Azure - CSP: Wortell offers a fully managed service for your business-critical Microsoft Azure environment. This package provides seamless Azure management access control via Azure Lighthouse.
	Narad: Cloudstrats Technologies offers this integrated command-and-control center for real-time digital surveillance, disease control, and outbreak management. The COVID-19 Outbreak Management System is included.
	Newgen ActiveScript: Newgen Omnidocs ActiveScript enables end-to-end automation of your industry-specific, document-centric processes. Ensure business continuity and enable remote work while providing access to relevant documents at any time from anywhere.
	Node-RED on IoT Edge: Node-RED is a programming tool for connecting hardware devices, APIs, and online services in new and interesting ways. Using Node-RED with Azure IoT Edge makes it possible to easily communicate with the cloud.
	OnActuate Fraud Protection (SaaS): An extension to the Microsoft Dynamics 365 Fraud Protection suite, OnActuate offers risk-based assessment, multi-factor authentication, and two types of identity verification services.
	Orbital Witness: This application helps real estate professionals conduct legal due diligence in the United Kingdom by allowing them to instantly understand legal risks at a site.
	Postgres Pro Standard Database 9.5 (VM+docker): This pre-configured container image by Postgres Professional provides a PostgreSQL-based Postgres Pro Standard Database 9.5 container image with a Debian server. Postgres Professional develops Postgres Pro Database, a private PostgreSQL fork.
	Postgres Pro Standard Database 9.6 (VM+docker): This pre-configured container image by Postgres Professional provides a PostgreSQL-based Postgres Pro Standard Database 9.6 container image with a Debian server. Postgres Professional develops Postgres Pro Database, a private PostgreSQL fork.
	Postgres Pro Standard Database 10 (VM+docker): This pre-configured container image provides a PostgreSQL-based Postgres Pro Standard Database 10 container image with a Debian server. Postgres Professional develops Postgres Pro Database, a private PostgreSQL fork.
	Qumuli Security & Cloud Compliance Platform: Qonsult Systems provides this multi-cloud compliance security posture management (CSPM) platform for security automation, provisioning, compliance monitoring, and reporting. Make it easier to maintain industry compliance.
	SaguiLog: Manage your orders, delivery lists, vehicles, and drivers with SaguiLog, an integrated carrier management app that is compatible with mobile devices and integrates with Microsoft 365. This app is available only in Brazilian Portuguese.
	Scheduling assistant using Microsoft Health Bot: Using AI, language understanding built on Azure LUIS, Azure QnA Maker, and Microsoft Health Bot Service, the IWConnect scheduling assistant drastically reduces the time to schedule appointments, check doctors’ availability, and set reminders.
	Sense Traffic Pulse OneAPI: Sense Traffic Pulse OneAPI together with Intel oneAPI delivers on-demand intelligent video analytics with the power of machine learning and AI. It relies on Microsoft Azure, Intel's OpenVINO Toolkit, and computer vision architecture technology.
	Skalable Stream - AI-Driven Invoice Automation: Stream is an easy-to-use accounts payable platform that cuts the time and expense of manually processing vendor invoices by up to 90 percent. It automates the process of importing accounts payable data and managing vendor invoices.
	Smile CDR CMS FHIR Data Platform: Smile CDR is a complete enterprise Fast Healthcare Interoperability Resources (FHIR) data platform that can meet the Centers for Medicare & Medicaid Services (CMS) Interoperability and Patient Access rule.
	Strata - Maverics Identity Orchestrator: Maverics is an abstraction layer that simplifies identity delivery to apps, enables secure hybrid access for Azure Active Directory, and consolidates management of policies and identities across multiple clouds.
	Teams Control: Developed by Infoworker, Teams Control is a governance tool for managing the growth and creation of new teams. It allows you to create different Microsoft Teams templates based on your needs.
	Trivadis Crisis Management App: Ensure that your company continues to operate in crisis situations. The Trivadis app is based on the Microsoft Power Platform and helps you manage exceptional situations by enabling transparent and prompt communication with your employees.
	Trivadis Dashboard: Based on Microsoft Power BI, this dashboard provides you with an overview of important internal and external news, including the latest tweets and media reports, contract status, employee attendance, and more.
	Trivadis Workforce App: Monitor work status and absences with the Trivadis Workforce App, which is based on the Microsoft Power Platform. You can quickly reorganize your team if the situation requires it. The app can be linked to various services, including Outlook.
	Ubuntu 16.04 LTS Minimal Ready to use: Cloud Maven provides this pre-configured, ready-to-use image of Ubuntu 16.04 LTS Minimal. Ubuntu Minimal is designed for automated deployment at scale and made available across a range of cloud substrates.
	Ubuntu 18.04 LTS Minimal Ready to use: Cloud Maven provides this pre-configured, ready-to-use image of Ubuntu 18.04 LTS Minimal. Ubuntu Minimal is designed for automated deployment at scale and made available across a range of cloud substrates.
	Ubuntu 20.04 LTS Minimal Ready to use: Cloud Maven provides this pre-configured, ready-to-use image of Ubuntu 20.04 LTS Minimal. Ubuntu Minimal is designed for automated deployment at scale and made available across a range of cloud substrates.
	Unifield: Create digital twins or predict construction risks earlier in a simulation. Unifield combines the latest business intelligence, AI, and IoT technologies to offer an integrated 5D Building Information Modeling construction management solution.
	Voicy Telephone Agent: Driven by artificial intelligence, machine learning, and natural language processing, Voicy.ai's Telephone Agent is a completely automated service that answers phone calls, solves customer queries, and generates orders.
	WISE-PaaS/IoTSuite: WISE-PaaS/IoTSuite is a complete IoT platform that covers a set of development kits to enable the rapid development of IIoT applications as well as cloud-native applications and data management platforms.
	WitFoo Precinct 6.1 Diagnostic SIEM (BYOL): WitFoo’s Precinct is a big data diagnostic SIEM that provides advanced analytics, log collection, and log aggregation. Bring your own license (BYOL) from a WitFoo reseller.
	WitFoo Precinct 6.1 Diagnostic SIEM (PAYG): Pay as you go (PAYG) to use WitFoo’s Precinct, a big data diagnostic SIEM that provides advanced analytics, log collection, and log aggregation.
	Wrench SmartProject - Project Performance Control: SmartProject is an intelligent cloud-based platform for project owners, consultants, and contractors that is designed to help them collaborate, plan, monitor, and control the lifecycle of their projects.
	Yva.ai SaaS with Microsoft: Yva.ai is a real-time employee experience platform that combines weekly micro-surveys with collaboration analytics across corporate tools to enhance employee wellness and engagement.
	ZFlow: ZFlow lets you easily model and optimize business processes intended for users of both local and cloud versions of Microsoft SharePoint.
Consulting services
	Analytics Quick Start: 10-Hour Workshop: Altitudo will evaluate your Microsoft Azure data analytics systems with respect to the solutions market and to other companies in the sector. This offer is available only in Italian.
	Azure Infrastructure Readiness: 4-Week Assessment: This infrastructure assessment by Agilisys will help build your cloud strategy. Agilisys will identify utilization and interdependencies to provide time and cost estimates for migrating your estate to Microsoft Azure.
	Azure Integration: Clear Ship 4-Hour Workshop: Available only in German, DATA Passion experts will analyze your application integration needs and suggest smart integration solutions built on technologies such as Azure Integration Services or Microsoft BizTalk Server.
	Azure Starter: 2-Week Implementation: Starting with best practices from Azure DevOps and Azure Cloud Services, DataArt will help automate the initial setup of your Microsoft Azure projects to significantly lower the entry threshold for new users.
	Business Intelligence Delivery: 10-Week Implementation: Depending on your business needs and technology stack, SoftwareONE can implement your business intelligence strategy in Microsoft Azure by using Azure Synapse Analytics, Azure Data Factory, and Microsoft Power BI.
	Caloudi App Modernization: 1-Day Assessment: Caloudi Corporation provides end-to-end support throughout your web app transformation journey. Its app assessment will provide you with a modernization plan, a design plan, and a cost estimate.
	Cloud Discovery and Assessment - Two Weeks: This engagement is for customers planning to integrate public or hybrid cloud solutions into their infrastructure. VAST IT offers inventory analysis, roadmap generation, application mapping, vendor analysis, and migration planning.
	Cloud Velocity - Cloud Transformation: 2-Week Assessment: UST offers Cloud Velocity, a platform enabling a simplified and automated approach to move workloads from the datacenter to Microsoft Azure. It includes automated discovery and inventory analysis to minimize business disruptions and decision touchpoints.
	Connected Smart Devices: 4-Week Proof of Concept: Convert your devices into smart connected devices through IoT-friendly Plug and Play modules. Anvation Labs will connect your devices to Azure IoT Hub, manage data flow, and visualize the data in Microsoft Power BI.
	Data Modernization: 6-Week Implementation: Insight Canada will classify your legacy data estate and help you modernize your existing assets or adopt cloud-native approaches to data platform architecture by using Microsoft Azure services.
	Data Modernization Azure in a Day: 4-Hour Workshop: If you are in a data management or technical decision-making role, DataArt invites you to an interactive exploration of how to migrate apps and databases to the cloud. The workshop provides hands-on experience with data migration tools.
	Data Warehouse Cloud Migration: 8-Hour Assessment: BizOne offers this assessment and virtual workshop for organizations that are considering migrating their data warehouse to Microsoft Azure. BizOne will create a high-level architectural suggestion and a cost estimate.
	Datanomics Data & AI practice: 6-Week Implementation: Datanomics provides predictive analytics for retail and fast-moving consumer goods businesses. Using Microsoft Azure technologies and machine learning, Datanomics will help you with data-driven purchasing and optimization of inventory and assortment policy.
	Docker Workshop - 1 Day: Newwave Telecom and Technologies will help your developers and engineers understand the concept of containerization technology using Docker to improve their proficiency in building apps in Microsoft Azure.
	Journey to Cloud: 4-Week Assessment: Nubiral will help you understand the benefit of bringing your business to the cloud and migrating to Microsoft Azure with ease and efficiency. This assessment is available only in Spanish.
	Microsoft Identity Security: 3-Day Workshop: Protect your authorized users' identities and allow them to access the apps they need on the devices they want. Apex Digital Solutions’ workshop provides you with a security posture assessment and a strong security foundation.
	Migesa Risk & Compliance Assessment - 4 Weeks: Migesa will assess your Microsoft Azure environment to detect and mitigate threats. Migesa will also provide a roadmap for implementation, use, consumption, and adoption of services. This service is available only in Spanish.
	Migrate VMware VMs to Azure: 3-Day Assessment: Korcomptenz will help migrate your VMware VMs using Azure Migrate: Server Migration, a Microsoft tool that can seamlessly migrate VMWare virtual machine workloads to Microsoft Azure.
	Move to Microsoft Azure: 8-Week Proof of Concept: Dace IT will assess and migrate services for small businesses seeking to move operations to Microsoft Azure and interested in expenditures that may be eligible for coverage under the Paycheck Protection Program (PPP).
	MultiCloud Manager: 8-Week Implementation: UST MultiCloud Manager enables near zero-touch operation and common end-to-end governance for any cloud. It gives you a standard way to optimize, secure, and govern your complex hybrid cloud environment.
	Openvino Smart Cities Reference Implementation: DACE IT will implement a smart-city reference solution built on Intel's OpenVINO Toolkit and smart city sample.
	Sage 200 on Azure: 4-Week implementation: OfficeTechHub will install your Sage 200 on-premises solution in Microsoft Azure. OfficeTechHub will build virtual machines in Azure, add disaster recovery and backup, and train key users. A demo can be organized at no cost.
	Servian DevOps Compass 1-week - Workshop & Report: One of the Servian Compass solutions, the DevOps Compass program provides a clear and concise path to deliver new functionality in stages, focusing on standard practices across the DevOps lifecycle.
	SIEM - ZenSOC Azure Sentinel 2-Week Assessment: Zensar offers this free assessment to build a business case for your organization to deploy a cloud-native SIEM solution using Microsoft Azure Sentinel to address cyberattacks.
	UNICLOUD MANAGED SERVICES: Take advantage of UniCloud's always-available remote management and consulting for Microsoft Azure services. UniCloud provides virtual machine management, monitoring, security, backups, and storage.
	Windows Virtual Desktop: 1-Day Workshop: Spektra Systems invites you to a one-day workshop covering architecture, deployment, and management aspects of a quality implementation of Windows Virtual Desktop.
	Windows Virtual Desktop: 2-Week Proof of Concept: Spektra Systems offers a free proof of concept for you to try Windows Virtual Desktop in a sandbox or in your own environment along with access to Spektra experts.
	Windows Virtual Desktop: 5-Week Implementation: Spektra Systems will work with your IT and business users to set up a desired Windows Virtual Desktop environment packaged with Microsoft 365 security capabilities.
	X.CELERATE KYC: AI-ML KYC Automation: 6-Week Proof of Concept: Xoriant Corporation will implement a test environment of its X.CELERATE KYC solution, helping streamline your compliance processes by using Microsoft Azure and Azure-based services.
	Zero Trust Framework: 2-Week Security Assessment: Brillio offers this enterprise security assessment to discover IT assets across six domains and recommend tools, services, solutions, and best practices to harden your security.

SharePoint Roadmap Pitstop: February 2021

Mark Kashman — Mon, 01 Mar 2021 16:00:00 GMT

So, there may be six more weeks of Winter – thanks, Phil. And February may only have 28 days this go around the sun… but it was busy, no matter how long or short the groundhog shadows.

February 2021 brought some great new offerings: Microsoft Viva Topics (GA), SharePoint web part toolbox updates, Lightbox for images, Quick Links web part audience targeting, SharePoint portal launcher scheduler, Microsoft Lists: Number column updates, Managed Metadata column, Microsoft Search in classic SharePoint sites, and more. Details and screenshots below, including our audible, “groundhog, shadow-casted” companion: The Intrazone Roadmap Pitstop: February 2021 podcast episode – all to help answer, "What's rolling out now for SharePoint and related technologies into Microsoft 365?"

In the podcast episode, I chat with Naomi Moneypenny (LinkedIn | Twitter), principal PM manager at Microsoft focused on building new capabilities in advanced content, knowledge, and search experiences in Microsoft 365. We talk about the challenges of harnessing knowledge in the enterprise, the tech behind Viva Topics, and a future glimpse of what’s to come next from she and the Project Cortex team.

Naomi Moneypenny, principal PM manager at Microsoft (Microsoft) [Intrazone guest], with Mark Kashman on a Teams interview call [host]

All features listed below began rolling out to Targeted Release customers in Microsoft 365 as of February 2021 (possibly early March 2021).

Inform and engage with dynamic employee experiences

Build your intelligent intranet on SharePoint in Microsoft 365 and get the benefits of investing in business outcomes – reducing IT and development costs, increasing business speed and agility, and up-leveling the dynamic, personalized, and welcoming nature of your intranet.

Microsoft Viva Topics (general availability)

Topics is the latest product output from Project Cortex, bringing artificial intelligence (AI) to empower people with knowledge and expertise in the apps they use every day and to connect, manage, and protect content across systems and teams. It is also the first one of four disclosed Microsoft Viva modules to be released.

Microsoft Viva is the new employee experience platform built on Microsoft 365 that empowers people and teams to be their best from wherever they work. See Viva Topics in action:

Think of Viva Topics as a Wikipedia with AI superpowers. It uses AI to automatically organize company-wide content and expertise into relevant categories like “projects,” “products,” “processes,” and “customers.”

When you come across an unfamiliar topic or acronym, just hover. No need to search for knowledge—knowledge finds you. Viva Topics automatically surfaces topic cards as people work in apps like Office, SharePoint, and Microsoft Teams. When employees click on a card, a topic page appears with documents, videos, and related people. Experts at the company can also help curate the information shown in Viva Topics by sharing knowledge through simple, highly customizable web sites called Topic Pages.

Learn more, plus the Viva Topics Buy Now page, which includes cost information, plus licensing requirements.
Roadmap ID: 72069.

SharePoint web part toolbox updates

This one is for page authors or site owners that design a lot of content on their site home page. If you're new to using web parts, one thing the team discovered was the lack of discovery - of all the useful web parts.

So, to help, we are updating the web part toolbox to make it easier to find and use web parts on pages and news posts. We have added categories, a toggle to switch between a grid view and list view, web part descriptions in list view, and a section for the user’s most frequently used web parts.

Updated web part toolbox when authoring SharePoint pages and news articles.

Bring content visualization to life across your intranet pages and news, now with greater creator visibility when using the service.

Learn more, "Using web parts on SharePoint pages" [support article]
Roadmap ID: 70668.

Lightbox for images on SharePoint pages

A lightbox popup is a window overlay that appears on top of a webpage. With this update, when people click or tap on an image in SharePoint, they will be able to see a larger version of the image in the lightbox. When viewing the image in the lightbox, the remainder of the page is inactivated and dimmed.

And then, it's easy to close lightbox and turn back to the rest of the page.

Click on an image from a SharePoint page to get a clearer, focused view of it. The rest of the page will darken, and any image captions will appear below the image.

There has been a lot of new tech for uploading and working with images during the edit phase, to crop, resize, rotate… and once you've gotten just the way you want it, your readers can see it best in all its glory all lit up and large in the lightbox.

Learn more about using the Image web part.
Roadmap ID: 70669.

SharePoint: Audience Targeting for Quick Links web part

We are adding the ability to target specific audiences per link within the Quick Links Web Part. With it, you will be able to target specific links to different audiences, helping you provide more personalized experiences on SharePoint pages.

Enable audience targeting to promote links to specific audiences across the site.

The Quick Links web part "pins" items to your page for easy access.
Roadmap ID 67115.

SharePoint Portal Launch Scheduler

This is an admin feature designed to help coordinate and schedule launch details for SharePoint sites that are expected to receive high volumes of traffic. The Portal Launch wizard available via SharePoint PowerShell is designed to configure the deployment waves when launching a new site. It also provides an automatic redirect for users dependent on which redirect option is selected.

The Portal Launch Scheduler makes it possible for you to manage a phased rollout for a new SharePoint site. It also provides an automatic redirect for existing sites, if needed.

Example PowerShell command to designate portal launch waves.

During each of the waves, you can gather user feedback and monitor performance. This provides a managed way to slowly introducing the portal, giving you the option to pause and resolve issues before proceeding; ultimately ensuring a positive experience for your users from start to fully launched.

Learn more:
- Creating and launching a healthy SharePoint portal
- Launch your portal using the Portal Launch Scheduler
Roadmap ID: 66162.

Teamwork updates across SharePoint team sites, OneDrive, and Microsoft Teams

Microsoft 365 is designed to be a universal toolkit for teamwork – to give you the right tools for the right task, along with common services to help you seamlessly work across applications. SharePoint is the intelligent content service that powers teamwork – to better collaborate on proposals, projects, and campaigns throughout your organization – with integration across Microsoft Teams, OneDrive, Yammer, Stream, Planner and much more.

Microsoft Lists | Support for thousands separator and custom symbols in Number columns

With Microsoft Lists and SharePoint lists, owners and members have the ability to add a thousands separator to numbers and to be able to choose their preferred symbol that best represents what the numbers represent - like the various currency symbols used across the world.

When using Number columns in lists, configure numbers based on how you want or need to present them.

There's an important difference between the Yen and the Euro, and you want it to be as clear as it can be. The right symbol goes a long way.

Roadmap ID: 68716.

Adding taxonomy columns for modern SharePoint library views

Yes, the power of metadata in the hands of those that need to manage document library content as the business prescribes. This new feature gives you the ability to add taxonomy-powered columns directly to library views in modern SharePoint libraries.

The Managed Metadata column connects your information to your organization’s term store (taxonomy).

Quick note: SharePoint document libraries are powered by lists for their row and column capabilities.

With this update, users will see a new Managed metadata option as a column type within the Add column menu in SharePoint lists and libraries. Then simply specify the column information such as name and description as well as choose their organization's desired term set or term, to associate the column with. From there, the use of that column is driven by the managed metadata coming from the programmed, managed term set.

Learn more about creating a Managed Metadata column.
Roadmap ID: 70609.

Microsoft Search in classic SharePoint sites

This is a quick and simple one, with lots of power for sites that have been around a while and may still be in classic mode. We are expanding the reach of Microsoft Search; classic SharePoint team sites that do not have customized search experience will be updated to the modern Microsoft Search experience, bringing improved personalization and relevance.

Classic SharePoint pages in Microsoft 365 will start using Microsoft Search, which provides personalized results with higher relevance. Top show the classic search experience – note the top-right search box, and the bottom shows a classic site using Microsoft Search – the search box at the center top.

That's it. Another example of how Microsoft Search is truly powering search throughout Microsoft 365 - aka, no site left behind.

Learn more.
Roadmap ID: 57131.

Related technology

Text predictions are coming to Word for Windows

Initially, text predictions popped up in Outlook for Windows - during composition to help users write more efficiently by predicting text quickly and accurately. Now, text predictions are coming to Microsoft Word when writing documents in English. And we know a lot of Word document are created in Teams, SharePoint, and OneDrive.

Text predictions within Word for Windows appear ahead as you type.

As you type, you'll see suggested text, which you can accept by tapping the Tab key or they can ignore suggestions by simply continuing to type. The feature reduces spelling and grammar errors and learns over time to give the best recommendations based on your writing style.

Note: this is a Microsoft 365 connected experience, and can be turned off by going to any Microsoft 365 application such as Word, Excel, or PowerPoint and going to File > Account > Manage Settings. This feature can also be managed through the policy settings for privacy controls.

Learn more.
Roadmap ID: 80179.

Evolution of Microsoft Lens (formerly Office Lens)

And with the evolution, beyond a new name, comes some dynamic new features, like intelligent actions into the camera, including: Image to Text, Image to Table, Image to Contact, Immersive Reader, and QR Code Scan.

One of the new intelligent actions into the camera: Image to Text.

We are releasing an improved scan experience allowing you to re-order pages, re-edit scanned PDFs, apply a filter to all images in the document, scan up to 100 pages as images or PDFs, easily switch between local and cloud locations while saving PDF, along with an easy way to identify local and cloud files.

We're noting it here because Microsoft Lens powers the camera in Microsoft 365 mobile apps, including Office, Microsoft Teams, Outlook, and OneDrive - yes, OneDrive loves lens - scan, scan, scan the physical world right where it needs to be stored digitally.

Learn more, and download for iOS and Android.

OneDrive for Android updates

We’re introducing an updated home screen experience for Android users, plus support for Samsung Motion Photos and 8K video. Now, you can pick up where you left off on recent and offline files, and easily re-discover memories from the past right from the home screen.

The new home screen experience on OneDrive for Android shows recently accessed files, files downloaded for offline use, and “On This Day” photos.

For Samsung Android phones, OneDrive has always saved your Samsung Motion Photos, and now you’ll be able to view them in all their moving glory. Similarly, you’ve always been able store Samsung 8K videos with no loss or compression on OneDrive, and now you can play them back as well. Great storage always, and now rich, new viewing experiences on your Android device.

Learn more. And make sure you have the latest updates with OneDrive for Android.

March 2021 teasers

Psst, still here? Still scrolling the page looking for more roadmap goodness? If so, here is a few teasers of what’s to come to production next month…

Teaser #1: SharePoint app bar [Roadmap ID: 70576]
Teaser #2: SharePoint page analytics [Roadmap ID: 70635]

… shhh, tell everyone – especially Punxsutawney Phil.

Helpful, ongoing change management resources

Install the Office 365 admin app; view Message Center posts and stay current with push notifications.

Microsoft 365 public roadmap + pre-filtered URL for SharePoint, OneDrive, Yammer and Stream roadmap items.

SharePoint Facebook | Twitter | SharePoint Community Blog | UserVoice
OneDrive Facebook | Twitter | OneDrive Community Blog | UserVoice

Follow me to catch news and interesting SharePoint things: @mkashman; warning, occasional bad puns may fly in a tweet or two here and there, plus my new blog on Substack: The Kashbox.

Thanks for tuning in and/or reading this episode/blog of the Intrazone Roadmap Pitstop – February 2021 (blog/podcast). We are open to your feedback in comments below to hear how both the Roadmap Pitstop podcast episodes and blogs can be improved over time.

Engage with us. Ask those questions that haunt you. Push us where you want and need to get the best information and insights. We are here to put both our and your best change management foot forward.

Stay safe out there on the groundhoggy-shadowy-laden road’map, and thanks for listening and reading.

Thanks for your time,

Mark Kashman – senior product manager (SharePoint/Lists) | Microsoft)

The Intrazone Roadmap Pitstop - February 2021 graphic showing some of the highlighted release features.

Add up to 25 embedded, editable labels to your tasks

PlannerTeam — Mon, 01 Mar 2021 15:30:10 GMT

Labels in Planner are visual cues, drawing attention to a particular set of tasks for a particular reason. For example, you might use labels to tag tasks with the same completion requirements, dependencies, or issues, and then filter your plan on those labels to zero-in on related tasks. In short, labels are a quick, visual way to categorize similar tasks.

But we’ve long heard that the current catalogue of labels (six total) isn’t enough; in fact, adding more labels to Planner is one of the very top asks on UserVoice. This update has been on our radar as long as yours, so we’re thrilled to announce that there are now 25 labels available in Tasks in Teams and Planner on all platforms and in most environments. (GCC availability is coming in March.)

Each of the 25 labels is a different color, and each can be edited with whatever text you’d like. More labels mean more options for getting a similar group of tasks done right: flagging more risks, signaling more reasons for a delay, prompting reviews from more people, and tagging more departments, to name a few.

We’re constantly chipping away at big and small asks alike from UserVoice, and invite you to submit your ideas for improving Planner and Tasks in Teams to that site. In the meantime, keep checking our Tech Community Blog to see which ask we address next.

Implement hybrid and multicloud with Cloud Adoption Framework

Pratibha Sood — Mon, 01 Mar 2021 13:00:00 GMT

The Microsoft Cloud Adoption Framework for Azure guides your entire cloud journey through best practice guidance. Achieve the right business outcomes for your organization, implementing business and technical strategies throughout the cloud adoption lifecycle. We are continually adding new content as we learn through the experience of our field engineers, partners, and customers. We are excited to introduce a new customer journey in the framework that provides guidance for hybrid and multicloud adoption scenarios.

Unlock flexibility, agility, and scale with hybrid and multicloud

As businesses accelerate cloud innovation, there continues to be increasing technology investment in on-premises infrastructure (local data centers, branch offices, and edge platforms), and increasing adoption of the cloud across multiple providers. The hybrid and multicloud approach connects on-premises infrastructure to diverse cloud infrastructure—extending innovations like simplified cloud management and consistent cloud services.

This rich infrastructure empowers organizations with the flexibility, agility, and scale they need to drive innovation. It also adds complexity to management and operations processes of asset portfolios across different hybrid platforms, and customers face three key needs when adopting a hybrid and multicloud approach, as a result:

Visibility: Customers need visibility into the health of their existing, as well as future infrastructure and applications, in a single pane of glass.
Compliance: Many customers want to maintain consistent governance, compliance, and organizational regulations and policies. Customers can extend unified cloud management across environments, applying consistent governance policies and operational control processes to resources scattered across heterogeneous environments
Integration: There are a wide range of skills across on-premises and cloud, since organizations often have different app development teams. Customers are looking for consistent interoperability between the two so they can unify development practices.

Address hybrid and multicloud needs with unified operations

Unified operations centrally governs, manages, and operates your resources regardless of where they live, whether on-premises, edge or multicloud platforms, reducing duplication in cloud platform utilities around governance, security, and operations tooling. In implementing unified operations, a single enterprise control plane extends across your organization's distributed assets, bringing consistent management, application development, and cloud services to any infrastructure, anywhere, at scale. In the case of Azure, that single control plane is Azure Arc, which extends the same controls and operational processes used to govern the Azure cloud to other public clouds, private clouds, and the edge.

Get started with implementing hybrid and multicloud?

As mentioned earlier, the Cloud Adoption Framework for Azure guides your cloud journey across different phases of defining your strategy, creating your plan, preparing your environment, migrating to the cloud, and governing and managing your cloud portfolio.

We are releasing new content in the Cloud Adoption Framework that provides guidance specific to hybrid and multicloud adoption scenarios, including unified operations. This guidance will walk you through the stages of the cloud journey as defined in the Framework, and share best practice content for every stage, so you can successfully implement a hybrid and multicloud approach. The content includes business considerations, landing zone design considerations, and governance and management practices to help you implement a successful hybrid and multicloud architecture.

Beyond the content in the Framework, the guidance in the hybrid and multicloud scenario includes assets and resources that provide a complete set of guidance as you implement your hybrid and multicloud approach, including:

Microsoft Learn content for hybrid and multicloud scenarios, including learning modules for Hybrid, Azure Arc, and Azure Stack.

Reference architectures specific to hybrid and multicloud, including scenarios such as hybrid security, hybrid networking, hybrid identity, and more.

Microsoft Azure Well-Architected Framework guidance for effectively operating your workloads across hybrid environments, aligning with best practices for cost optimization, operational excellence, security, performance efficiency, and reliability.

Best practices to rapidly onboard resources to hybrid environments. These include step-by-step guides for independent Azure Arc scenarios that incorporate as much automation as possible, detailed screenshots with code samples, and a rich and comprehensive experience while getting started with the Azure Arc platform.

Featured product documentation covering product-specific technical guidance on hybrid-related products, including Azure Arc, Azure Stack HCI, Azure IoT Edge, and more.

More hybrid and multicloud learning resources

Check out the Ignite 2021 pre-recorded session on Implementing hybrid and multicloud approach with cloud adoption framework. This session provides an overview of content covered in the hybrid and multicloud scenario as part of the Cloud Adoption Framework. There is also an episode on the hybrid and multicloud approach, recently published as part of the Azure Enablement show, that covers key topics related to your cloud journey. Lastly, check out this new content on hybrid and multicloud, and let us know what you think!

Troubleshooting connectivity to Blob Storage using Azure Storage Explorer with Private Endpoint

Amrinder_Singh — Mon, 01 Mar 2021 11:19:32 GMT

Scenario:

You want to connect to Blob Storage having Private Endpoint via Azure Storage Explorer. This blog talks about some of steps to verify the setup and troubleshooting that can be followed depending upon the error message you are encountering.

Actions:

Creating/Verifying the Setup Configuration

There is certain list of steps that you need to follow in case you are creating a fresh setup. The documentation will be very helpful in the setup process.

In case you already have setup, below are the pointers to verify:

The VM from where you are trying to connect to, and your storage account need to be part of same Virtual Network and Subnet. You can verify them by navigating via respective resources through Azure Portal.

Another mechanism you can try is to do the nslookup over the storage account. It should resolve in a private IP and you can verify this from the IP assigned to FQDN under private endpoint configuration.

Lastly, you can verify if the machine IP from where connection is being made is part of same subnet

Troubleshooting Scenarios

Troubleshooting depends upon the operations you are trying to perform on the storage. The connection might get established however the actual error might appear when you try to perform listing or other operation.

A common error you might get will be unable to retrieve child resources however the important point here is check on the error in the details and to what error it points too.

If that points to some kind of “403 - Authorization Error”, you need to isolate based on what kind of error it is and why it is coming. Some common scenarios here could be in-sufficient roles, Firewall and VNET configurations etc. Ensure that you have right access already in place.
In case, if points to error such as “Account Does Not Exsist”, first verify the account exists and hasn’t been deleted. In case you have a setup, where in you are making use of Hosts File by specifying IP of the storage account, kindly ensure that you are having updated public IP mentioned in the host file entry. The file can be found at the path C:\Windows\System32\drivers\etc. Although, the public IP does not get changed that often however still verify it again too. If the IP has got updated then also this message may appear as explorer won’t be find out the account with the one mentioned in file. In that scenario, kindly update the entry in the Hosts file with the current public IP Address for the storage account.

If there are any other error observed specific to storage explorer, you can review this link as well.

Hope this helps!

MySQL 8.0.21, Zone placement, and IOPs scaling now available in Flexible Server!!!

Parikshit Savjani — Tue, 02 Mar 2021 04:14:23 GMT

Thank you all for an overwhelming response to our Flexible Server release! Your continued feedback is critical to ensure that we invest in the features that are most important for you. Today, I am excited to share some exciting new features that we released last week, driven by your feedback.

MySQL 8.0.21 now available in Flexible Server

With MySQL v8.0, the MySQL Server Team continues to add exciting new features in every minor version release, and it's sometimes difficult to keep up (which is a good problem to have :smiling_face_with_smiling_eyes:). Immediately after Flexible Server release, many of you requested that we prioritize MySQL 8.0 ASAP to unblock your to move Flexible Server, and some of you were looking for MySQL 8.0.20 or later to leverage some exciting improvements from the community. Today, we're happy to share that MySQL 8.0.21 is now available in Flexible Server in all major Azure regions. You can use the Azure portal, the Azure CLI, or Azure Resource Manager templates to provision the MySQL 8.0.21 release as shown below.

Using the Azure portal:

Create a MySQL 8.0 Flexible Server

Using the Azure CLI:

az mysql flexible-server create --resource-group <resourcegroupname> --name <servername> --location <region> --admin-user <username> --admin-password <password> --sku-name Standard_B1ms --version 8.0.21 --public-access <your Client IP address>

Zone Placement – Specify your preferred Availability zone during server creation

One of the highlights of Flexible Server architecture is zone awareness and the ability for you to configure zone redundant high availability. But many of you asked for the flexibility to choose availability zones at server creation, similar to Azure VMs, VM Scale Sets, or Azure Kubernetes Services, which would allow you to collocate your application and database in the same Availability zones to minimize database latency and improve performance. Well, Flexible Server is all about the flexibility and controls that you are looking for. You can now specify your preferred Availability zone at the time of server creation as shown below.

Note: Not all Azure regions support availability zones today, so if you select a region that doesn't yet support multiple availability zones, you might not see this this functionality. You can find Azure regions that support availability zone here and the regions that support Flexible servers here.

Specify your preferred Availability Zone during server creation

Scale IOPs independently of the storage provisioned

When you provision an Azure Database for MySQL server (Single Server or Flexible Server), you get 3 IOPs per GB free for you to consume. When you want to perform migrations or data load operations, the complimentary IOPs can be too small, which can result in significant performance degradation, yet you don’t want to increase storage size as your IOPs scaling requirements are transient. Your feedback strongly indicated that you wanted us to provide the flexibility to scale up or down the IOPs provisioned for the server independently of the storage, which would enable you to scale up IOPs to perform transient operations such as migrations or data loads more quickly. We've now decoupled storage and IOPs, and you can provision additional IOPs beyond the complimentary IOPs (3 IOPs per GB) for operations such as migrations and data loads, and then scale it back down when not required to save cost. In addition, further IOPs scaling is a fully online operation that doesn't require any downtime or restarts. The maximum IOPs you can provision is limited by the Compute VM size you choose. For more details, refer to our documentation.

Scale the server IOPs independent of storage provisioned

Known issues and what’s next

As you get ready to test Flexible Server, it's important to call out some of the known issues we are working on as this blog is written.

SSL\TLS 1.2 can't be disabled – As I mentioned in my release blog post, with Flexible server SSL is enabled with TLS 1.2 encryption enforced, and you can't disable it yourself from the Azure portal. As your preferred cloud service provider, we made this decision intentionally, to keep the security bar high and enforce the right behavior. While we all have the right intent, at times we can tend to adhere to our legacy and complexity. After talking to many of you, we learned that some of your legacy applications don't support SSL and in fact that this serves as an adoption blocker, keeping you from leveraging all the value that Flexible Server has to offer. We're mindful of this, and we'll be allowing you to change the require_secure_transport server parameter by yourself from the Azure portal, the Azure CLI or ARM in the upcoming release. Until then, if you want to disable SSL for your Flexible Server, you can file a ticket from the Azure portal and our awesome support team will assist with this.
Provisioning failures in some regions and intermittently – Some of you experienced provisioning failures over the past couple of weeks while provisioning servers in East US, West Europe, and Southeast Asia regions. It turns out that we ran out of capacity. As a product manager, I feel thankful for such problems, but I admit that the experience was poor, and we can and will do better here. As it stands now, the problem is fixed and you should easily be able to provision servers in all supported Azure regions. We do, however, still have a known issue in which provisioning a server with private access (virtual network) gets stuck intermittently and deployments run forever. We're working on a fix for this that is expected to rollout in March. Not all end users experience this issue with provisioning a server with private access (VNet), and sometimes the issue can be resolved by retry attempts. Regardless, you should expect this to be fixed after our next rollout planned around end of March. If you're deploying a server for testing, it is recommended to use public access until the fix is rolled out.
Ability to force failover – Many of you have asked for the ability to force a manual failover so that you can test failovers and measure application availability and tolerance to failovers. We're mindful of this ask, and we're working on this feature in the high availability area to give you the ability to force a manual failover at your will for testing and then later, if required, to use it in production as well.

We hope you are enjoying the new Flexible Server experience with our Azure Database for MySQL service. If you have any issues, feedback, or requests, please reach out to us using the following channels.

If something is not working as expected or advertised, please file a ticket from the Azure portal.
To provide feedback or to request new features without being engaged, search for or create a new entry via UserVoice.
To provide feedback or request new features in which you would like to be engaged by our product team, please send an email to the Azure Database for MySQL Team (@Ask Azure DB for MySQL).
To keep up to date with the latest releases and news, we recommend that you follow us on Twitter (@AzureDBMySQL) and subscribe to this blog.

Leveraging Storage Analytics Logs to analyze who accessed the Storage Account

Amrinder_Singh — Mon, 01 Mar 2021 09:35:24 GMT

Scenario:

You want to know who accessed/accessing your storage account. There can be a scenario someone created, deleted, or modified some blobs/containers within your storage account. The blog talks about how you can leverage storage logs, that will help you troubleshoot such scenarios.

Actions:

An important source of information for troubleshooting such scenarios are the Storage Analytics logs as it keep tracks of data plane operations happening over the storage account. There is a billing associated to this logging a well.

In case storage analytics is enabled, you can leverage below options based on the logging format:

If the logging format is 2.0 and you are using OAuth mechanism for authentication & authorization, there is a field UserObjectId. It denotes the object ID used for authentication. It may be any security principal, including a user, managed identity, or service principal.
If the logging format is 2.0 however you are not using OAuth and rather getting authenticated via SAS token or access keys, you can rely on the field requester-ip-address and the user-agent-header
If the logging format is 1.0 then you can only rely on the field requester-ip-address and the user-agent-header
The requester-ip-address fields provides information about the IP address of the requester, including the port number.
The user-agent-header fields provide the user agent details such as browser details, SDK details etc.

Let us take a look at some more details and the steps you can follow ahead:

Enable the storage analytics Logging, if not enabled already.

You first need to enable the storage analytical logging. You can either enable the classic one or work with storage resource logs. The current blog is more inclined towards the classic one however the other logs can be leverage in similar way.
You can set what type of operation you want to log such as Read, Write etc. Also, take a note at the logging version of the logs as well. Based on available fields, it will help tracking operations based on available fields. If you opt for version 2.0, it has extra fields for a authentication with Azure AD for blob services UserObjectId field will store the Object ID of the user/group/service principal, that made call to storage.

Once you save the settings, there will be a folder $logs that will get created inside the same storage account. it might take some time for logs to appear post the operations are made and these are stored in UTC format.

NOTE : If the logging isn’t enabled then you won’t be able to backtrack much. You can also consider the above step as a prerequisite for analysis too.

Parsing the logs generated

The logs will get created in .log format.
You can view the log data using Azure Portal, or using a storage explorer like the Microsoft Storage Explorer, or programmatically using the storage client library or PowerShell.
Once these have been downloaded, you can make use of below 2 links to parse them for further analysis. The first one converts the log file into CSV format while the second one is a standalone utility. You can leverage them as per your convenience.

https://gist.github.com/ajith-k/aa69feb862a4816d0b4df09fae8aad11

https://github.com/nunomo/AzureStorageLogReader

Analyzing the logs

We are taking a common scenario of someone deleting the blob and you want to track it back.
We will first download the logs and then parse it for further analysis.
Herein, a question arises as to get information regarding the time when the operation was performed and you can leverage Metrics option under the Monitoring pane.
You can select the metrics as “Transactions” and thereafter make use of ‘Apply Splitting’ option to split the result ahead based on available parameters. You will get to see count of the various operations happening over the storage account. We can hover on the API we are interested and it will highlight the timings over the graph when the particular operation was called.

There is another level of splitting that you can apply based on the Authentication type. This will help segregating calls based on their Authentication types as keys, SAS, Oauth etc.

For this example, we have parsed it into CSV format, and we get various type of information regarding the call that was made to storage. Let’s take a look at 2 different Delete Blob requests and check on some of the fields of interest.

Log Version – It provides the log level version i.e. either 1.0 or 2.0.

Transaction Start Time : Time when the transaction was initiated.

REST Operation Type : Type of operation that was performed such Read, List, Delete etc.

Authentication Type : This tells us about the authentication mechanism such as SAS, OAuth etc.

Request URL : The request URL for the operation and can provide idea regarding the filename.

Request ID : This is the Storage Request ID.

Client IP: This provide information regarding the IP that was hitting the storage.

User Agent : This provide us user agent details of the client application e.g. Storage explorer in above example.

User Object ID: This field is empty in the first snippet because the authentication happed via SAS whereas in the second one you get to the the User Object ID and principal name as well. You can track the User Object ID in Azure AD via portal ahead as well whether it’s belongs to single user, group or Service Principal

Similarly, based on the available formats and operations, you can track further activities happening on your Storage Account ahead.
In case you are observing heavy transactions happening over your storage account then also this document and the procedure shall help in an analyzing the trend too.

More Information, please follow below link

Storage Analytics Logging Format, available fields and description

Storage Analytics Logged Operations

Hope this helps!

Why my tables are empty after importing the BACPAC file ????

mohammad_belbaisi — Mon, 01 Mar 2021 11:10:11 GMT

I worked on a service request that our customer reported that some tables are empty after importing the database using BACPAC file . in this article i would like to share with you my findings and the troubleshooting steps :

1-Compare the number of rows for each table on the source and destination database using the following T-SQL to identify which tables that don't contain data :

SELECT t.NAME AS TableName, s.Name AS SchemaName, p.rows AS RowCounts, SUM(a.total_pages) * 8 AS TotalSpaceKB, SUM(a.used_pages) * 8 AS UsedSpaceKB, (SUM(a.total_pages) - SUM(a.used_pages)) * 8 AS UnusedSpaceKB FROM sys.tables t INNER JOIN sys.indexes i ON t.OBJECT_ID = i.object_id INNER JOIN sys.partitions p ON i.object_id = p.OBJECT_ID AND i.index_id = p.index_id INNER JOIN sys.allocation_units a ON p.partition_id = a.container_id LEFT OUTER JOIN sys.schemas s ON t.schema_id = s.schema_id WHERE t.is_ms_shipped = 0 AND i.OBJECT_ID > 255 GROUP BY t.Name, s.Name, p.Rows ORDER BY t.Name

2-After confirming that the tables don't have data ,we need to check if the exported BACPAC file have data on those tables and this done using the following steps:

Change the extension for the backup file from BACPAC to .zip .
Open the zip file and you should have a data folder that contains a folder for each tables exported with data.
if you find a folder for the tables that means that the BACPAC file contains the data for the tables

3-Connect with the same user that has exported the database and select the data from the tables that have the issue to be sure that the user has permission to view the data on those tables.

As a result, when you are using Row level security and want to export the database please be sure that the user who export the database has permission to view the data on the database tables otherwise this will only export the tables with the data that the user has permission to view .

Experiencing Data latency Issue in Azure portal for Log Analytics - 02/28 - Resolved

Azure-Monitor-Team — Sun, 28 Feb 2021 23:11:02 GMT

Final Update: Sunday, 28 February 2021 22:55 UTC

We've confirmed that all systems are back to normal with no customer impact as of 2/28, 22:12 UTC. Our logs show the incident started on 2/28, 19:08 UTC and that during the ~3 hours hours that it took to resolve the issue customers in Korea Central ingesting telemetry in their Log Analytics Workspace experienced intermittent data latency and incorrect alert activation.

Root Cause: The failure was due to one of the backend services becoming unhealthy.
Incident Timeline: 3 Hours - 2/28, 19:08 UTC through 2/28, 22:12 UTC

We understand that customers rely on Azure Log Analytics as a critical service and apologize for any impact this incident caused.

-Anupama

10 Reasons to Love Passwordless #7: Authenticator app for easy phone sign-in

Alex Weinert — Fri, 26 Feb 2021 23:54:25 GMT

In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). Today, Alex Weinert continues this series.

In previous blogs in this series, we shared how passwords lead to breaches, lost productivity and support calls. I also shared how biometrics local to each device provide a secure and convenient way to authenticate with a simple gesture from the user.

Your identity companion, the Microsoft Authenticator app, is a great example. It allows you to sign into your Microsoft identities (personal, work or school) by responding to a notification with a quick scan of your face, swipe of your finger or entry of your phone passcode. By combining your device and the biometric, it is not just simpler than a password, but inherently multifactor.

Most of us keep our mobile phone in easy grabbing distance, no matter what we’re doing. Using Authenticator on your mobile phone, you can easily approve sign-ins on any device and into any app. There is no password to type, SMS code to round-trip, or robocall to answer! Moreover, security measures such as matching a number at the time of approving a sign-in help prevent accidental approval, and the app can provide context and security notifications much richer than anything possible in text messages.

Figure 1: Number matching experience

If you have a smart watch, you don’t even have to take your phone out of your pocket while logging into your Microsoft account. (Every time I approve on my watch I feel like I am an extra in a cool sci-fi series :smiling_face_with_smiling_eyes: – when my kid saw me do it, he finally thought Authentication was cool!)

For enterprises, when most of your workforce is remote, Microsoft Authenticator can be one of the easiest and fastest mechanisms to rollout. It is also the most cost effective. Users can download the app on their phones and setup an account in seconds. There is no additional hardware to carry and you can approve sign-ins on any device in the world. Passwordless authentication with Microsoft Authenticator also meets NIST 800-63 Authentication Assurance Level 2.

For end-users, the authentication experience matters the most. Microsoft Authenticator is one of the most highly rated authenticator apps in the world. As of February 2021, it tops its peers with a rating of 4.8 stars on Apple App store and 4.7 stars on Google Play store. Authenticator provides users great security with convenience and we are constantly innovating it with new capabilities.

In summary, Microsoft Authenticator may be the easiest and most affordable way to go passwordless for you and your users. There is no additional hardware to carry, passwords to remember or type, SMS to copy or phone calls to attend while signing in. You tap a notification, provide your biometrics and you are logged into any device you want. All this with secure multifactor authentication.

Stay tuned for more in the series! We’ll share how passwordless credentials can protect you from top attacks and we’ll dive into setup and recovery of passwordless credentials.

Check out the other posts in this series:

10 Reasons to Love Passwordless #1: FIDO Rocks
10 Reasons to Love Passwordless #2: NIST Compliance
10 Reasons to Love Passwordless #3: Why biometrics and passwordless are a dream combination
10 Reasons to Love Passwordless #4: Secure your digital estate, while securing your bottom line
10 Reasons to Love Passwordless #5: The ease of use and portability of security keys
10 Reasons to Love Passwordless #6: The Passwordless Funnel

Learn more about Microsoft identity:

Return to the Azure Active Directory Identity blog home
Join the conversation on Twitter and LinkedIn

Share product suggestions on the Azure Feedback Forum

Join Surface at Microsoft Ignite March 2-4, 2021!

Jenn_Marescalco — Fri, 26 Feb 2021 21:56:19 GMT

Now coming to you twice a year as a digital event, the Microsoft Ignite Conference takes place March 2 – 4, 2021. Join the Surface team and connect with Microsoft experts and technology professionals from around the globe.

Ignite represents an opportunity for attendees to discover the latest developments in productivity, find innovative ways to build solutions, migrate and manage your infrastructure, all from the comforts of your own home.

Check Out Surface at Ignite

Content & Sessions

Below are the list of sessions from Windows + Devices where you can learn more about what’s coming from Microsoft Surface. Be sure to check out the Ignite session catalog to find a time that works best with your schedule.

Session Type	Session Title and Abstract	Microsoft Speakers
Interstitial	The heartbeat of modern work: A Windows fireside chat with Panos Panay & Roanne Sones From the chip to the cloud, Windows is the heartbeat of modern work. Join Microsoft Chief Product Officer Panos Panay and Azure Edge + Platform CVP Roanne Sones for a quick, lively dialogue about the difference makers and the recent Windows innovations for commercial customers and the IT community. Start your Windows journey at Microsoft Ignite with us and let's talk about the features and innovations coming to life across Microsoft experiences and services!	Panos Panay & Roanne Sones
Feature Session	Engineer to engineer: Let's talk Windows! Your feedback inspires our innovations. Join Windows CVP Aidan Marcuss and pivotal members of the Windows, security, and endpoint management engineering teams to discuss the features, capabilities, and shiny new things that will help prepare commercial organizations for the future and ensure that IT receives the hero’s welcome it deserves.	Aidan Marcuss, David Weston, Ramya Chitrakar, Gabe Frost
On Demand	Microsoft Surface \| Delivering the Best in Modern End Point Security from Microsoft In today’s hybrid workplace security is more important than ever. The Surface engineering team has been using a unified approach to firmware protection and device security since 2015 through complete end-to-end ownership of hardware design, firmware development, and device updates and management. Hear from subject matter experts across Microsoft, how Surface and Microsoft 365 give people the freedom to work their way from anywhere, protected by Microsoft security and modern manageability.	Sonia Dara, Frank Buchholz, Mary Beth Anderson, Katharine Holdsworth

Following the event, these sessions recordings will also be copied to the Surface YouTube channel.

Connect with Experts

In addition to great session content, Ignite also affords a number of opportunities for attendees to connect with subject matter experts. In partnership with the Windows & Devices team, Surface experts will be participating in several Ask the Experts and Tech Community sessions below.

Date	Time* (Pacific Time)	Activity	Location
March 2	1 – 2 p.m.	Office Hours: Managing Windows Devices & Updates** Add to Calendar	Tech Community
March 3	8 – 9 a.m.	Office Hours: Managing Windows Devices & Updates** Add to Calendar	Tech Community
	11:30 a.m. – noon	Ask the Experts: Windows + Devices	Teams Live Events
	5 – 5:30 p.m.	Ask the Experts: Windows + Devices	Teams Live Events
	5 – 6 p.m.	Office Hours: Managing Windows Devices & Updates** Add to Calendar	Tech Community
March 4	8 – 9 a.m.	Office Hours: Managing Windows Devices & Updates** Add to Calendar	Tech Community

*Note dates and times subject to change. Be sure to check the Ignite session catalog and tech community pages for latest updates.

**Office hours are text-based; there is no audio or virtual meeting component. To post a question, you just need to be a member of the Tech Community. If you haven’t already signed up, click Sign In in the top right corner of the Tech Community page to join the Tech Community today.

Get Registered

Don’t miss the digital-only Microsoft Ignite! There is no cost to attend and registration is now open for all attendees. Sign up today for full access to all the information and innovative content packed into our new two-day agenda.

Wherever you are, we’re coming to you! So get ready to connect with Microsoft experts, technology professionals and customers from around the world during this exciting digital event.

Event Details

Where: Digital Event

When: March 2 – 4, 2021

Why: Get a look on Microsoft latest technology

Link to Register: Microsoft Ignite Registration Login

Follow us on Social

During Ignite we will be sharing out the great content we are landing across sessions both in our joint Windows and Devices sessions as well as from Surface around the topic of security. Watch for Microsoft Ignite posts on Surface LinkedIn and Surface Twitter leading up to and throughout the global, digital event.

Be sure to amplify Surface news and Surface session details using the combination of these hashtags: #SurfaceForBusiness and #MSIgnite.

Troubleshooting BitLocker from the Microsoft Endpoint Manager admin center

Intune Support Team — Mon, 01 Mar 2021 19:10:55 GMT

By Luke Ramsdale – Service Engineer | Microsoft Endpoint Manager – Intune

This is the second in our five-part series about deploying BitLocker with Microsoft Endpoint Manager - Microsoft Intune. Catch up by reading the first post in this series: Enabling BitLocker with Microsoft Endpoint Manager - Microsoft Intune - Microsoft Tech Community. In this post, we’ll look at troubleshooting encryption settings for BitLocker using the Microsoft Intune Encryption report.

BitLocker encryption methods

By default, the BitLocker setup wizard prompts users to enable encryption. You can also configure a BitLocker policy that silently enables BitLocker on a device.

Note
Automatic encryption is not the same thing as silent encryption. Automatic encryption is performed during Out-Of-Box Experience (OOBE) mode on modern standby or on Hardware Security Test Interface (HSTI)-compliant devices. In silent encryption, Intune suppresses the user interaction through BitLocker configuration service provider (CSP) settings. Each method has different prerequisites.

Prerequisites for BitLocker silent encryption

A Trusted Platform Module (TPM) chip (version 1.2 or 2.0) that must be unlocked.
Windows Recovery Environment (WinRE) must be enabled.
The hard disk must be partitioned into an operating system drive formatted with NTFS and a system drive of at least 350 MB must be formatted as FAT32 for Unified Extensible Firmware Interface (UEFI) and NTFS for BIOS.
UEFI BIOS is required for TPM version 2.0 devices. (Secure boot is not required but will provide more security.)
The Intune enrolled device is connected to Microsoft Azure hybrid services or Azure Active Directory (Azure AD).

Prerequisites for user-enabled encryption

The hard disk must be partitioned into an operating system drive formatted with NTFS and a system drive of at least 350 MB formatted as FAT32 for UEFI and NTFS for BIOS.
Intune enrolled device through hybrid Azure AD join, Azure AD registration, or Azure AD join.

Note
A TPM chip is not required but is highly recommended for increased security.

Identifying device status

Intune provides a built-in encryption report that presents details about the encryption status of devices across all managed devices. It is a very useful tool that provides an overview of the encryption status. You can use the report to identify and isolate BitLocker encryption failures, the TPM status, and encryption status of Windows devices.

Troubleshooting encryption failures

BitLocker encryption failures on Intune enrolled Windows 10 devices can fall into one of the following categories:

The device hardware or software does not meet the prerequisites for enabling BitLocker.
The Intune BitLocker policy is misconfigured, causing Group Policy Object (GPO) conflicts.
The device is already encrypted, and the encryption method doesn’t match policy settings.

To identify the category a failed device encryption falls into, navigate to the Microsoft Endpoint Manager admin center and select Devices > Monitor > Encryption report.

The report will show a list of enrolled devices. You will be able to answer questions about their encryption status such as:

Is the device encrypted?
Does it have a TPM chip?
Is the device ready for encryption?

Encryption report example

Note
If a Windows 10 device displays a Not ready status, it might still support encryption. For a Ready status, the Windows 10 device must have TPM activated. TPM devices aren't required to support encryption but are highly recommended for increased security.

The above example shows that a device with TPM version 1.2 has been successfully encrypted. Additionally, you can see two devices not ready for encryption and will not be able to be encrypted silently and that one TPM 2.0 device is ready for encryption but not encrypted.

Common failure scenarios

Next, let’s look at a few common failure scenarios. Each scenario details the encryption report status.

Scenario 1 – Device is not ready for encryption and not encrypted

When you click on a device that is not encrypted, Intune displays a summary of its status. In the example below, there are multiple profiles targeting the device: an endpoint protection policy, a Mac operating system policy (which is not applicable to this device), and a Microsoft Defender Advanced Threat Protection (ATP) baseline.

Scenario 1 - Device is not ready for encryption and not encrypted

Encryption status explained:

The messages under Status details are codes returned by the BitLocker CSP’s status node from the device. The encryption status is in an error state because the OS volume is not encrypted. Additionally, the BitLocker policy has requirements for a TPM that are not satisfied by the device.

The messages mean that the device is not encrypted because it doesn’t have a TPM present and the policy requires one.

Scenario 2 – Device is ready but not encrypted.

This example shows that the TPM 2.0 device is not encrypted.

Scenario 2 – Device is ready but not encrypted.

Encryption status explained:

This device has a BitLocker policy that is configured for user interaction rather than silent encryption. The user has not started or completed the encryption process (the user receives a notification message), so the drive remains unencrypted.

Scenario 3 – Device is not ready and will not encrypt silently.

If an encryption policy is configured to suppress user interaction and encrypt silently and the encryption report Encryption readiness state is Not applicable or Not ready, it is likely the TPM is not ready for BitLocker.

Scenario 3 – Device is not ready and will not encrypt silently.

Clicking on the device reveals the following reason:

Scenario 3 - Device encryption status

Encryption status explained:

If the TPM is not ready on the device, it could be because it is disabled in the firmware or needs to be cleared or reset. Running the TPM management console (TPM.msc) from the command line on the affected device will help you understand and resolve the TPM state.

Scenario 4 – The device is ready but not encrypted.

There are several reasons that a device targeted with silent encryption is ready and not encrypted.

Scenario 4 – The device is ready but not encrypted.

Encryption status explained:

One explanation is that WinRE is not enabled on the device, which is a prerequisite. You can validate the status of WinRE on the device using the reagentc.exe/info command as an administrator:

Command Prompt output of reagentc.exe/info

If WinRE is disabled, run the reagentc.exe/info command as administrator.

Enabling WinRE in Command Prompt

The Status details page will display the following information if WinRE is not configured correctly:

The user logged into the device does not have admin rights.

Another reason could be administrative rights. If your BitLocker policy is targeting a user who does not have administrative rights and Allow standard users to enable encryption during Autopilot is set to not configured, you will see the following in the encryption status:

Device encryption status - User that does not have admin rights.

Encryption status explained:

Switching Allow standard users to enable encryption during Autopilot to Yes will resolve this issue for Azure AD joined devices.

Scenario 4 – The device is in an error state but encrypted.

In this common scenario, if the Intune policy is configured for XTS-AES 128-bit encryption and the device it is targeting is encrypted is using XTS-AES 256-bit encryption (or the reverse), you will receive the error shown below.

Scenario 4 – The device is in an error state but encrypted.

Encryption status explained:

This happens when a device that has already been encrypted using another method—either manually by the user, with Microsoft BitLocker Administration and Monitoring (MBAM), or by the Microsoft Endpoint Configuration Manager before enrollment.

To rectify this, decrypt the device manually or by using Windows PowerShell. Then let the Intune BitLocker encrypt the device again the next time the policy reaches it.

Scenario 5 – The device is encrypted but the profile state is in error.

Occasionally a device appears encrypted but has an error state in the summary.

Scenario 5 – The device is encrypted but the profile state is in error.

Encryption status explained:

This usually occurs when the device has been encrypted by another means (possibly manually). The settings match the current policy, but Intune has not initiated the encryption.

Conclusion

The encryption report is a useful starting point for troubleshooting encryption failures. In some cases, you will need to investigate the device further to understand the reasons for failure.

To take full advantage of this troubleshooting method and the error details available in the encryption report, you will need to configure a BitLocker policy. If you are currently using a device configuration policy, consider migrating the policy. To perform either task, navigate to the Microsoft Endpoint Manager admin center and select Endpoint security > Disk encryption.

More info and feedback

For further resources on this subject, please see the links below.

Encrypt Windows 10 devices with BitLocker in Intune

Intune endpoint security disk encryption policy settings

Microsoft Defender for Endpoint

BitLocker cannot encrypt a drive known TPM issues

Troubleshooting tips for BitLocker policies in Microsoft Intune

The next post will cover troubleshooting from the client side. Stay tuned! Here’s the series:

Enabling BitLocker with Microsoft Endpoint Manager - Microsoft Intune - Microsoft Tech Community.

Let us know if you have any additional questions by replying to this post or reaching out to @IntuneSuppTeam on Twitter.

Enabling Central Visibility For DNS Using Azure Firewall Custom DNS and DNS Proxy

Ashish_Kapila — Fri, 26 Feb 2021 20:29:55 GMT

Many of our customers use Azure DNS for name resolution when it comes to infrastructure they have in Azure. The setup with Azure DNS works like a charm and provides name resolution to Azure Infrastructure without doing any complex setup. One challenge you may have is that Azure DNS do not log DNS queries from your VM’s, which means you have no visibility into what endpoints their azure infrastructure is trying to connect to or the DNS name resolution queries being used.

In this blog, we will see how Azure Firewall can help our customers overcome this challenge and provide visibility not only to Azure DNS logging but also to control the traffic flows both east-west and to the internet for their Azure resources.

Azure Firewall recently added Custom DNS and DNS proxy capabilities which was a big ask from all of our customers and, these are the features which we will explore in this blog and how it can help you.

Azure DNS

Azure DNS provides name resolution and basic authoritative DNS capabilities of public DNS names. The Azure DNS IP address is 168.63.129.16. Azure DNS provides DNS name resolution for your Azure infrastructure if you do not have your own DNS server hosted. For example, when you setup a new VM in Azure, it can resolve the public names out of the box using Azure provided name resolution (Azure DNS).

Azure Firewall Custom DNS

By Default, Azure Firewall uses Azure DNS to ensure the service can reliably resolve internet based name resolution. Custom DNS allows you to configure Azure Firewall to use your own corporate DNS server or Azure DNS to resolve the DNS queries.

You may configure a single DNS server or multiple servers in Azure Firewall and Firewall Policy DNS settings. We will go through the setup in more detail later on in this blog.

Azure Firewall DNS Proxy

This feature enables Azure Firewall to act as a DNS forwarder for your Infrastructure. When DNS proxy is enabled, your clients can point to Azure Firewall to resolve the DNS queries and act as DNS servers for your infrastructure.

DNS Proxy logs all the queries coming from your infrastructure in Azure Firewall logs, and we will go through the logs in detail later on in this blog.

We hope the above gives you a good understanding of the components involved in the challenge we are trying to resolve. Let’s look at the solution now and see how Azure firewall Custom DNS and DNS proxy will help with getting visibility into Azure DNS logging.

Architecture

The problem we are trying to solve in this blog is even when UDR’s force all traffic to Firewall, DNS traffic goes straight to DNS which means you cannot log the DNS traffic or control the traffic flow going from your infrastructure to Azure DNS. With this architecture, you can centrally log all DNS traffic going to Azure DNS using Azure Firewall.

In this architecture/deployment we will use a hub and spoke model is recommended, where the firewall is in its own Virtual Network. For the purpose of the blog we will assume a simple architecture where both Workload VM and Azure Firewall is in the same Virtual network but deployed in two different subnets as represented in the below Diagram.

Azure Firewall Deployment

You can deploy azure firewall either from Azure Portal, ARM, REST or CLI. Here is the article which you can follow to setup the above configuration step by step using azure portal.

Tutorial: Deploy & configure Azure Firewall using the Azure portal | Microsoft Docs

From the above article, you only need to follow the first five steps

Once you have followed the above steps, you have an Azure Firewall and you can connect to your workload VM using the Azure Firewall Public IP.

Custom DNS and DNS Proxy Configuration

We will now configure Custom DNS and DNS proxy in Azure Firewall.

Configure custom DNS servers and DNS Proxy - Azure portal

Under Azure Firewall Settings, select DNS Settings.
Under DNS servers, Select Default (Azure provided).
Under DNS Proxy, Select Enabled
Select Save.

Now the Azure firewall directs DNS traffic to Azure DNS for name resolution and Azure Firewall is configured as a DNS proxy.

Enable Diagnostic logs for Azure Firewall

In the Azure portal, Select the Azure firewall.
Under Monitoring, select Diagnostic settings.

For Azure Firewall, four service-specific logs are available:

AzureFirewallApplicationRule
AzureFirewallNetworkRule
AzureFirewallThreatIntelLog
AzureFirewallDnsProxy

Select Add diagnostic setting. The Diagnostics settings page provides the settings for the diagnostic logs.
In this example, Azure Monitor logs stores the logs, so type Firewall log analytics for the name.
Under Log, select AzureFirewallApplicationRule, AzureFirewallNetworkRule, AzureFirewallThreatIntelLog, and AzureFirewallDnsProxy to collect the logs.
Select Send to Log Analytics to configure your workspace.
Select your subscription.
Select Save.

Configure Azure Firewall as a DNS server

You can configure DNS server settings directly on the Network interface of virtual machine or you can specify directly at Virtual network. Below you can see both the methods.

Configure Azure Firewall as DNS server on your Workload Virtual Machine

In the Azure portal, Select the Workload Virtual Machine.
Under Settings, select Networking.
The Networking page, click on Network Interface.
This will open up the Network Interface page, under Settings, Select DNS servers.
In DNS Server Page, Select Custom and enter the internal IP of the Azure Firewall.

Configure Azure Firewall as DNS Server directly on the Virtual network

In the search box at the top of the portal, enter virtual networks in the search box. When Virtual networks appear in the search results, select it.
From the list of virtual networks, select the virtual network for which you want to change DNS servers for.
Select DNS servers, under SETTINGS. Select Custom and enter the internal IP of the Azure Firewall.

Now, we are all set up and will quickly review how azure firewall provides us the visibility of DNS logs from our Azure infrastructure going to Azure Provided DNS.

Azure Firewall is set up and using its default Custom DNS configuration, which is Azure DNS.
Azure Firewall is now configured as DNS proxy and acts as a DNS server for our workload VM.
Workload VM is configured to use Azure Firewall as a DNS server.
Azure Firewall Diagnostic settings are configured and logging to Log analytics workspace.

Connect to your workload client and access internet.

RDP to your workload Virtual machine.
Open browser and browse to www.google.com

Azure Firewall DNS log fields with explanations

Format: {remote}:{port} - {id} {type} {class} {name} {protocol} {size} {do} {bufsize} {rcode} {rflags} {rsize} {duration}

{remote}: client’s IP address, for IPv6 addresses these are enclosed in brackets: [::1]

{port}: client’s port

{id}: query ID

{type}: type of the request

{class}: class of the request

{name}: name of the request

{protocol}: protocol used (tcp or udp)

{size}: request size in bytes

{do}: is the EDNS0 DO (DNSSEC OK) bit set in the query

{bufsize}: the EDNS0 buffer size advertised in the query

{rcode}: response CODE

{rflags}: response flags, each set flag will be displayed, e.g. “aa, tc”. This includes the qr bit as well

{rsize}: response size

{duration}: response duration

Check the Azure Firewall DNS logs

In the Azure portal, Select the Azure firewall.
Under Monitoring, select Diagnostic settings.
In Diagnostics settings page, Click on workspace name under Log Analytics Workspace which will open the Log analytics workspace blade for you.
In the left Menu, select logs and copy/paste the following query and click on Run.

AzureDiagnostics | where Category == "AzureFirewallDnsProxy" | parse msg_s with "DNS Request: " ClientIP ":" ClientPort " - " QueryID " " Request_Type " " Request_Class " " Request_Name ". " Request_Protocol " " Request_Size " " EDNSO_DO " " EDNS0_Buffersize " " Responce_Code " " Responce_Flags " " Responce_Size " " Response_Duration | project-away msg_s | summarize by TimeGenerated, ResourceId, ClientIP, ClientPort, QueryID, Request_Type, Request_Class, Request_Name, Request_Protocol, Request_Size, EDNSO_DO, EDNS0_Buffersize, Responce_Code, Responce_Flags, Responce_Size, Response_Duration, SubscriptionId

You will see an output like the one below and can see all the DNS queries your workload VM is making to Azure provided DNS.

As you can see that now your organization has visibility into all the DNS requests which your Azure Infrastructure is making to Azure Provided DNS and how you can utilize Azure Firewall to control traffic flows. We hope you find this blog useful.

New Year, New Resolution and New Era of Windows Containers!

Weijuan Shi Davis — Fri, 26 Feb 2021 19:57:04 GMT

My new year resolution of Year 2021 is to write more. Before I know, it’s already February and I even celebrated Chinese Lunar Near of 2021 two weeks ago. OK, I guess I can count the clock that way. This year is the Year of the Ox. In Chinese Ox is “牛“. That same Chinse character also means super cool, super awesome. I hope this speaks to the year of Windows containers too .

There have been a lot to share and celebrate in the first 2 months.

AKS on Azure Stack HCI February Update

The biggest news is AKS on Azure Stack HCI February Update released last Friday! Ben Armstrong led the team and delivered lots of new changes and fixes in this release. Nice job! The crown jewel for me is the guide for evaluating AKS-HCI inside an Azure VM authored by Matt McSpirit. Anyone with an Azure subscription can try out AKS on Azure Stack HCI in an Azure VM and of course spin up your Windows containers on it. You won’t be constrained on hardware availability. Matt’s team runs the customer engagement program. They are actively looking at customers who are interested in enrolling in the Early Access Program (EAP) of AKS-HCI. You can fill out this survey if you are interested.

AKS-HCI now supports strong authentication using Active Directory Credentials is another great improvement that enables Active Directory authentication, fully integrated into Kubernetes authentication and configuration workflows. Sumit Lahiri did an excellent job explaining the architecture and what’s under the hood. The new scenario was delivered from the same team that we’ve been partnering closely to bring more gMSA related innovations to Windows containers to make the Lift and Shift experience easier for workloads that need Active Directory. If you are new to gMSA – Group Managed Service Account, it’s a service account that enables Windows containers to have an identity on the wire to allow Active Directory authentications. Our documentation gMSA for Windows containers have more details. We’ll share gMSA related improvements for Windows containers in coming months.

Docs. Docs. Docs.

The team took the quiet time during the Christmas holiday and made improvements on Windows container documentation. I want to list them so everyone can see and benefit.

We added a new page Lift and Shift to containers under “Get Started”. It shares high level benefits of using containers, applications supported in Windows containers, and a decision tree. This page will help those of you who just started looking at moving your Windows applications to containers.

We added a new section under “Tutorials” - Manage containers with Windows Admin Center starting with this page “Configure the Container extension on Windows Admin Center”. If you are looking for some tooling to help containerize your apps and deploy them, this will be a great starting point.

We updated the Base image servicing cycle page under “Reference” to reflect that we have extended Nano Server container SAC1809 release to be supported to 1/9/2024, and the Window container SAC1809 to be supported to 5/11/2021. There is a bit more update on this that I’ll cover later in the blog.

We added the Events page under “Reference” where all related content from last 2-3 years in major Microsoft and industry conferences are now compiled. We spent lot of effort and time on building quality slides and demos for events. So even though some content could be slightly outdated, they can still be valuable if you are just starting on Windows containers.

We added the GitHub page of Windows Server container roadmap under “Resources”.

Overall, we aim to make this documentation page as a one-stop shop for you to find all the relevant resources no matter which stage you are in leveraging Windows containers to lift and shift and modernize your Windows applications. We welcome your feedback and love to see you help contributing directly on documentation.

Lifecyle Management Update

We streamlined Server Core container and Nano Server container support and lifecycle management. Some of you may recall Nano Server container SAC1809 release was about to reach its end of life (EOL) in Nov 2020. We listened to your feedback especially those of you in the Kubernetes community that moved to use Nano Server containers for comformance testing in addition to regular workload use. Nano Server container SAC1809 now has the same EOL as Server Core container LTSC2019/1809 on 1/9/2024.

The Windows container, sometimes also referred as “the 3^rd Windows container”, has been gaining popularity thanks to its broader Windows API support. Recently we were brought to the attention that its SAC1809 release is going to reach its EOL on 5/11/2021. We understand customers who need to stay on Windows Server 2019 as the container host are concerned. That is because those customers can only use containers released in the same wave with the same Build number (also referred as "Major release number") due to Windows container host and guest version compatibility We are actively looking at options and will update when we are ready.

New Development from the .NET Team

We work very closely with the .NET Team, and I know that many of you run .NET apps on Windows containers. There are two recently blogs from Richard Lander of the .NET team that I want to share.

Staying safe with .NET containers | .NET Blog (microsoft.com).

You will notice this blog is mainly about Linux and only a small portion on Windows. I take it as a positive thing for Windows because it mostly just works with our current company-wide security practices. But we stay vigilant and keep innovating. There will be updates to our docs and blogs coming related to Windows Server container security.

Announcing .NET 6 Preview 1 | .NET Blog (microsoft.com).

In the Container section, you will notice this is mentioned: “Improve scaling in containers, and better support for Windows process-isolated containers.” This issue in process-isolated containers was reported from a few of our AKS customers. In a nutshell, the issue is that CPUs and memory are not being honored for process-isolated containers by .NET runtime. We are happy to see the .NET Team making improvements that will better take advantage of the capabilities of Windows containers.

I also wanted to call out this update .NET 5.0 Support for Windows Server Core Containers that was made available last November. Both .NET team and our team are very curious of your feedback on this.

What’s Ahead

Two exciting events are coming up on the horizon.

Microsoft Spring Ignite 2021 is next week March 2-4. I am excited to see quite a few new things our team have been working on will be showcased.
Microsoft Global MVP Summit 2021 is also coming on March 29-31. MVPs are our best customers and friends. I am excited to see some old and new friends again.

That reminds me recently I had a few email exchanges and GitHub discussions with one of our MVPs Tobias Fenster, CTO of COSMO CONSULT Group based in Germany. To my pleasant surprise, Tobias has been writing blogs on Windows containers, like this one ”Building Docker images for multiple Windows Server versions using self hosted containerized Github runners” . Hidden gems! Go check out Tobias’s presentation list.

To close, I really liked what Satya said in Microsoft Fiscal Year 2021 2nd Quarter Earnings Conference Call in January

“What we are witnessing is the dawn of a second wave of digital transformation sweeping every company and every industry.

Digital capability is key to both resilience and growth.

It’s no longer enough to just adopt technology. Businesses need to build their own technology to compete and grow. “

Borrowing that perspective, it’s no longer just about adopting Windows containers to lift and shift and modernize with AKS and AKS on Azure Stack HCI. It’s about leveraging Windows containers, differentiate your company and grow to new heights.

As always, we’d love to hear from you, how you use Windows containers, on AKS, AKS on Azure Stack HCI, or other environments, and what we can do better to help you make your digital transformation journey easier.

Weijuan

Twitter: @WeijuanLand

Email: win-containers@microsoft.com

Security Control: Protect Applications Against DDoS Attacks

fkortor — Fri, 26 Feb 2021 20:44:27 GMT

Welcome back to the Security Controls in Azure Security Center series! This time we are here to talk about "Protect applications against DDoS attacks".

Distributed denial-of-service (DDoS) attacks overwhelm resources and render applications unusable.

Use Azure DDoS Protection Standard to defend your organization from the three main types of DDoS attacks:

Volumetric attacks flood the network with legitimate traffic. DDoS Protection Standard mitigates these attacks by absorbing or scrubbing them automatically.
Protocol attacks render a target inaccessible, by exploiting weaknesses in the layer 3 and layer 4 protocol stack. DDoS Protection Standard mitigates these attacks by blocking malicious traffic.
Resource (application) layer attacks target web application packets. Defend against this type with a web application firewall and DDoS Protection Standard.

The "Protect applications against DDoS attacks" Security Control is worth two points and includes the recommendations below.

Azure DDoS Protection Standard should be enabled

DDoS attacks are often designed to make an application resource or online service unavailable by overwhelming the resource or service with more traffic than it can handle. Once the resource is no longer able to handle legitimate requests, it might also become vulnerable for code injection. The unavailability of the resource or service presents a significant issue considering legitimate parties also lose access to these resources or services. Daily business offerings may be halted as a result of the denial of service. Any endpoint that can be publicly reached through the internet is vulnerable to a DDoS attack. DDoS attacks can often be used to divert attention from larger targets such as injecting malware into company resources or data exfiltration.

Like most cyber threats, repairing a DDoS attack will take time and money. Aside from diverting resources to repair the attack, your organization could also be losing money due to the time it takes to get your resources and services back up and running. The best way to be prepared is to have precautions in place that will prevent these attacks from being successful. Azure resources are deployed with Azure Basic DDoS protection enabled, allowing for integrated defense against common network layer threats. Azure DDoS Protection Standard provides enhanced features that are designed specifically for your Azure resources including attack analytics and metrics.

Security Center works with Application Gateway, a web traffic load balancer, that enables users to manage traffic to their web applications. Application Gateway also utilizes Web Application Firewall (WAF) to respond, detect and prevent threats from web applications. APG/WAF is best combined with DDoS Protection to ensure Layer 4 – 7 protection.

Container CPU and memory limits should be enforced

Different types of DDoS attacks including Application Level Attacks focus on exhausting a server’s resources, including the CPU, in order to make the server unable to process legitimate requests. Enforcing container CPU and memory limits protect your container workloads from DDoS attacks by preventing the container from using more than the configured resource limit.

Azure Policy add-on for Kubernetes should be installed and enabled on your clusters

As discussed in our overview of the Remediate Security Configurations Control and Manage Access and Permissions, this recommendation is geared towards helping users safeguard their Kubernetes clusters by managing and reporting their compliance state.

Next Steps

Thanks for tuning back in to learn about the “Protect applications against DDoS attacks” Security Control within Azure Security Center. To gain credit for taking steps to protect your resources from DDoS attacks, you must remediate all the recommendations within this Security Control. As a reminder recommendations in Preview are not included in your Secure Score calculation until they are GA. Make sure to also check out our previous blogs and documentation to help you on your Secure Score journey!

The main blog post to this series (found here)
The DOCs article about secure score (which is this one)

Reviewers

@Tobi Otolorin, Program Manager 2, CxE Network Security

@Tom Janetscheck , Senior Program Manager, CxE ASC

Lesson Learned #165: How to reduce the time spent of downloading a large resultset

Jose_Manuel_Jurado — Fri, 26 Feb 2021 16:33:09 GMT

Today, I worked on a service request that our customer wants to download a large resultset from Azure SQL Database to OnPremises. The table has several blob columns (XML,Varchar(max),text) and millions of rows. In this situation, I would like to share with you several tests that I did and how to reduce the download time spent.

Initial points

Try to increase the packet size in your connection string to higher values.
Instead to use Proxy connection policy use Redirection connection policy to improve the connection.
About the redirection, remember to use the latest drivers because some old drivers are not able to use redirection.
As this process is a pure data processing, if possible, try to use Premium or Business Critical to reduce the I/O latency.
In OnPremises try to distribute the data and log files in different location to improve the IO.

In Azure SQL Database, I created a table and filling the data:

Basically, I created the following table:

CREATE TABLE [dbo].[Destination]( [ID] [int] IDENTITY(1,1) NOT NULL, [Name1] [varchar](4000) NULL, [Name2] [varchar](4000) NULL, [Name3] [varchar](4000) NULL, [Name4] [varchar](4000) NULL, [Name5] [varchar](4000) NULL, PRIMARY KEY CLUSTERED ( [ID] ASC ))

Running multiple times the following query, I got around 7 millions of rows.

INSERT INTO Destination (Name1,Name2,Name3,Name4,Name5) values(Replicate('X',4000),Replicate('X',4000),Replicate('X',4000),Replicate('X',4000),Replicate('X',4000)) INSERT INTO DESTINATION (Name1,Name2,Name3,Name4,Name5) SELECT Name1,Name2,Name3,Name4,Name5 FROM DESTINATION

In OnPremise:

I developed a small C# aplication that has 3 different process:
- The first process was to read the whole table from Azure SQL Database and using bulkcopy download the data, but the spent time was high. I saw that transfer ratio was about (100-200 mb/s).

private void LoadDataReaderWithoutCompression(C.SqlDataReader newProducts, int lCutOver = 10000, string sDestinationTable = "Destination") { using (C.SqlBulkCopy bulkCopy = new C.SqlBulkCopy(GetConnectionStringTarget(0), C.SqlBulkCopyOptions.KeepIdentity | C.SqlBulkCopyOptions.KeepNulls | C.SqlBulkCopyOptions.TableLock)) { bulkCopy.DestinationTableName = sDestinationTable; try { bulkCopy.BulkCopyTimeout = 6000; bulkCopy.SqlRowsCopied += new C.SqlRowsCopiedEventHandler(OnSqlRowsCopied); bulkCopy.NotifyAfter = 2000; bulkCopy.EnableStreaming = false; bulkCopy.BatchSize = lCutOver; bulkCopy.WriteToServer(newProducts); } catch (Exception ex) { Console.WriteLine(ex.Message); } } }

The second process was to compress the data using COMPRESS function before downloading the data. Basically, the idea was:
- Create a table with the following structure.
- Execute the query INSERT INTO [_M$_Destination_X] (ID,NAME1,NAME2,NAME3,NAME4,NAME5) SELECT ID,COMPRESS(NAME1) AS NAME1,COMPRESS(NAME2) AS NAME2,COMPRESS(NAME3) AS NAME3, COMPRESS(NAME4) AS NAME4, COMPRESS(NAME5) AS NAME5 FROM Destination
- Download using bulkcopy the compressed data
- Uncompress the data in the destination, running the following TSQ:, INSERT INTO [Destination] (ID,NAME1,NAME2,NAME3,NAME4,NAME5) SELECT ID,DECOMPRESS(NAME1) AS NAME1,DECOMPRESS(NAME2) AS NAME2,DECOMPRESS(NAME3) AS NAME3, DECOMPRESS(NAME4) AS NAME4, DECOMPRESS(NAME5) AS NAME5 FROM [_M$_Destination_X]

CREATE TABLE [dbo].[_M$_Destination_X]( [ID] [int] NOT NULL, [Name1] [varbinary](max) NULL, [Name2] [varbinary](max) NULL, [Name3] [varbinary](max) NULL, [Name4] [varbinary](max) NULL, [Name5] [varbinary](max) NULL, PRIMARY KEY CLUSTERED ( [ID] ASC ))

The second execution process was very good because I was able to skip the networking issue compressing and de-compressing. But, was only a thread running, what happening if I have millions and millions of rows, well, in this situation, I modified the source using a configurable number of threads (for example, running in parallel 10 threads reading 150000 rows each one).
- Every process read 150000 rows, using the following TSQL: INSERT INTO [_Tmp100] (ID,NAME1,NAME2,NAME3,NAME4,NAME5) SELECT ID,COMPRESS(NAME1) AS NAME1,COMPRESS(NAME2) AS NAME2,COMPRESS(NAME3) AS NAME3, COMPRESS(NAME4) AS NAME4, COMPRESS(NAME5) AS NAME5 FROM Destination ORDER BY ID OFFSET 0 ROWS FETCH NEXT 150000 ROWS ONLY
- Using bulkcopy I transferred the data to the OnPremise service.
- Finally running the query I was able to uncompress the data and save in the destination table, INSERT INTO [Destination] (ID,NAME1,NAME2,NAME3,NAME4,NAME5) SELECT ID,DECOMPRESS(NAME1) AS NAME1,DECOMPRESS(NAME2) AS NAME2,DECOMPRESS(NAME3) AS NAME3, DECOMPRESS(NAME4) AS NAME4, DECOMPRESS(NAME5) AS NAME5 FROM [_Tmp100]

At the end, I was able to reduce the time spent in hours for this process. I got other lessons learned for OnPremises to speed up the process and reduce the PageIOLatch contention, but, this will be for another post.

Enjoy!

New transactable offers from Ant Media, Claim Genius, and Uncrowd in Azure Marketplace

Christine_Alford — Fri, 26 Feb 2021 16:25:40 GMT

Microsoft partners like Ant Media, Claim Genius, and Uncrowd deliver transact-capable offers, which customers can purchase directly from Azure Marketplace. Learn about these offers below:

Ant Media Server Enterprise Edition: Ant Media Server Enterprise Edition is a streaming engine solution that uses WebRTC technology to provide adaptive, ultra-low-latency streaming. Supporting WebRTC, CMAF, HLS, RTMP, RTSP, and more, Ant Media Server is highly scalable horizontally and vertically and can run on-premises or in the cloud.

GeniusCLAIM: Claim Genius's GeniusCLAIM platform helps insurance carriers reduce costly processing delays by using artificial intelligence-powered damage estimation. Try GeniusCLAIM for free to see how it can help your firm reduce claim processing times and loss adjustment expenses, increase throughput and profitability, and reduce customer churn.

Uncrowd FRi – Retail Customer Analytics Platform: Uncrowd’s Friction/Reward Indexing (FRi) analytics platform answers retail's most fundamental question: "Why do customers choose Retailer X over Retailer Y?" FRi leverages artificial intelligence and machine learning to provide insights into shoppers' choices, behaviors, and likelihood to buy your products.

Windows & Devices at Microsoft Ignite 2021: March edition

Heather Poulsen — Fri, 26 Feb 2021 23:26:14 GMT

This is it! Your guide to all things Windows & Devices at Microsoft Ignite, March 2-4!

Jump to: Core sessions | Ask the experts | Depth on demand | Office hours | Additional resources

This past year has underscored the critical importance of Windows – the Windows PC has become more essential than ever, serving as a connector for people and organizations all around the world. And at the center of it all is IT. Our goal at Microsoft Ignite in March is to quickly get you to speed on how you can use the latest capabilities, services, and devices to support your end users and your organization—and prepare you for what's to come.

From sessions with the top leaders and engineers at Microsoft supporting Windows to an awesome catalog of in-depth videos that you can watch on demand at any time, Microsoft Ignite is your chance to get up to speed on Windows, Surface, and Microsoft Edge. We'll have Ask the Experts sessions so you can engage directly with those building the capabilities that will support you as IT pros and developers today and in the future—and we'll extend the time available for you to engage with our experts through Windows Office Hours here on Tech Community.

Now is a great time to be a part of the big, wide world of Windows. If you haven't already, register at https://ignite.microsoft.com and start building your schedule. Click on the session names below to add them to your schedule (or digital "backpack")—then bookmark this post as we'll be updating it each day with links to all our announcements, depth learning on demand, and post-conference activities.

There is a lot happening around Windows at Microsoft Ignite so let's dive in!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Core sessions

Windows fireside chat with Panos Panay & Roanne Sones

Kicking off our Windows experience at Microsoft Ignite at 11:30 AM PST on Tuesday, March 2^nd is none other than Microsoft Chief Product Officer Panos Panay! In a fun, informative chat, Panos and Azure Edge + Platform CVP Roanne Sones will talk about why Windows matters, using examples of recent innovations in security, devices, browsing, and the cloud. We'll have our product and engineering experts standing by in the chat to answer your questions as well!

The heartbeat of modern work: A Windows fireside chat with Panos Panay & Roanne Sones
Tuesday, March 2 | 11:30 AM PST*

Can't make it at 11:30 AM PST? Not to worry! We'll replay this session later in the day. Keep an eye on the main channel around 9:30 PM PST.

Engineer to engineer: Let's talk Windows!

One of our goals for this Microsoft Ignite is to show and tell you how your feedback inspires our innovations! On Wednesday, Windows CVP Aidan Marcuss is sitting down with pivotal members of our Windows (Gabe Frost), security (David Weston), and endpoint management (Ramya Chitrakar) engineering teams for a lively discussion about the features and capabilities we've developed over the past year based on your ideas and suggestions—and how we're taking those further to help prepare your and your organization for the future.

We'll have live Q&A throughout this session too so pick the time that works best for you and add it to your schedule!

On demand: Microsoft Edge, Surface, and Microsoft Endpoint Manager

After the keynotes, make sure to check out our featured on demand sessions:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ask the experts

Windows & Devices

While we'll offer live Q&A during the fireside chat and the Let's Talk Windows! panel session, you'll have an opportunity to ask additional questions and get answers from a diverse group of engineering, support, and product experts with our Ask the Expert sessions. These sessions are conducted in Teams Live Events so there's sure to be some lively banter as they answer your questions. Space is limited so click your desired day and time to RSVP!

Microsoft Edge

If you have specific questions around deploying and managing Microsoft Edge, we've got a special Microsoft Edge edition of Ask the Experts on Tuesday, March 2 from 11:30-11:59 PM PST*.

Microsoft Endpoint Manager

Or, if you are looking for advice on endpoint security, on monitoring and analysis or discovering vulnerabilities and potential compliance issues in real time, check out Ask the Experts: Securing your endpoints with Defender and Microsoft Endpoint Manager on Wednesday, March 3 from 2:30 AM to 3:00 AM PST*.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Depth on demand

We know you come to Microsoft Ignite to build your technical skills and knowledge. That's why we're offering deep dives, demos, and more in the Video Hub on Tech Community—direct from our engineering and product teams!

What’s new in Windows servicing – Joe Lurie, Namrata Bachwani
The how-to guide for managing Windows updates – Aria Carley, Kay Toma
The key to rolling out Windows updates with confidence – Aria Carley, Blair Glennon, Kevin Scharpenberg
A simple recipe to accelerate Windows 10 patch compliance – David Guyer
Windows 10 update monitoring and reporting – Charles Inglis
Delivery Optimization + ConfigMgr = cloud content made easy – Narkis Engler, Carmen Forsmann
Modernize application validation with Test Base for Microsoft 365 – Maitreyee Agashe Wagh
10 tips to make the Windows update experience fast and easy – Steve DiAcetis
This is Windows security! – Katharine Holdsworth, David Weston, Ron Aquino
What's new in MSIX – John Vintzel
Driver and firmware servicing in the enterprise – Nir Froimovici, Bryan Keller, Thad Martin
Enterprise development futures: Project Reunion – Thomas Fennel
Windows 10 in cloud configuration: endpoint management simplified – Ravi Ashok, Joe Lurie

Note: Links to these great sessions will be available after the keynotes conclude on day one.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Windows office hours on Tech Community

We want to ensure you have plenty of time to get answers to your questions at Microsoft Ignite. That's why we are holding four special editions of Windows office hours on Tech Community! Select any and all of the desired times below to save the slot and join us to get answers and tips to help you more easily manage Windows 10 updates and your Windows device estate.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Additional resources

If a prescriptive learning path is what you're looking for, we've got a good one for you. Stay current with Windows 10 and Microsoft 365 Apps is designed to help you integrate a prescriptive, process-based model into the way you deploy Windows and manage updates.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Learn more

Windows is a universe, not an island. Here are some additional guides to the breadth of experiences open to you at Microsoft Ignite 2021: March edition.

Guide to Microsoft 365 Apps deployment and servicing at Microsoft Ignite

Stay informed

Follow us at @MSWindowsITPro for announcements and updates throughout Microsoft Ignite—and to stay up-to-date with the latest resources, tips, and information for IT pros working in the Windows ecosystem.

* Timing subject to change Refer to the MyIgnite session catalog for the latest times and updates.

Security Control: Apply System Updates

Fernanda — Fri, 26 Feb 2021 16:10:33 GMT

As part of our recent Azure Security Center (ASC) Blog Series, we are diving into the different controls within ASC’s Secure Score.  In this post we will be discussing the security control Apply System Updates.

Image 1

System updates bring fresh and enhanced features, deliver security fixes, greater compatibility and in general a better user experience that help improving your security posture. Azure Security Center takes this and transforms it in several recommendations – depending on the resource types you have – that have Quick Fixes and easily shows you the big picture in your environment so you can act. Let’s drill into some of the recommendations for this control.

Note
There are two recommendations from this security control that are being deprecated. Learn more about it in this article Important changes coming to Azure Security Center | Microsoft Docs.

Log Analytics agent should be installed on…

Azure Security Center collects data using the Log Analytics agent (formerly known as Microsoft Monitoring Agent - MMA), which reads security-related configurations and event logs and then sends them to a Log Analytics workspace. Depending on the resource types you have, you may come across this recommendation for your virtual machines, virtual machine scale sets, Windows-based and Linux-based Azure Arc machines (Preview). The mapped policies audits if the Log Analytics agent is not installed.

Image 2

This comes with a Quick Fix button that will install the MMAExtension. The workspaceID will be requested once the remediation script is triggered.

"parameters": { "vmName": { "value": "resourceName" }, "location": { "value": "resourceLocation" }, "logAnalytics": { "value": "workspaceId" } }

You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux or Log Analytics agent for Windows. For multiple ways to install and configure your Log Analytics agent please see this article.

System updates should be installed on your virtual machines

This recommendation doesn’t come with a Quick Fix button, but it does come with the Exempt feature; that way you can set an exemption for specific resources either if you have already mitigated it through a third-party service or accept the risk and give a waiver. From ASC you will be able to see the outstanding updates of the unhealthy resources. The KB ID is provided as well for you to track down specs and the impact it may have.

Image 3

System updates on virtual machine scale sets should be installed

The information brought in this recommendation is like the one of VMs, but there are a few differences (see Image 4). To check the security updates, you will have to click o the VMSS that will take you to its Log Analytics Workspace query dashboard. Automatically, a query is deployed and will display the update and its count, because we are talking about scale sets (see Image 5). At this point, there are only manual remediation steps to follow, and that’s taking into consideration the corresponding Knowledge Base (KB) article ID. Nevertheless, there’s a Trigger Logic App option available in case you want to create an automation to remediate that.

Image 4

Image 5

OS version should be updated for your cloud service roles

If you happen to have a cloud service role (classic), you might come across this recommendation. The Exempt feature is also available. By default, Azure periodically updates your guest OS to the latest supported image within the OS family that you've specified in your service configuration; but choosing a specific OS version disables automatic OS updates, and here is when this comes handy. To learn more about how to solve this follow this article.

Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version

This recommendation will appear if you must upgrade your Kubernetes service cluster to a later Kubernetes version (at the time this article was written the latest was 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+) to protect against known vulnerabilities in your current Kubernetes version. For a tutorial on how to accomplish this, go to this article.

Image 6

Next Steps

As with all security controls, you need to make sure to remediate all recommendations within the control that apply to a particular resource to gain a potential score increase for your security posture. Check out our GitHub repo for artifacts that may help you achieve your 100% Secure Score. For more content like this join the Microsoft Security Community at https://aka.ms/SecurityCommunity

Reviewer:

, Principal Program Manager - CxE ASC

Microsoft Ignite 2021 Tech Community Blog for Security, Compliance, and Identity

JessAfeku — Fri, 26 Feb 2021 16:00:00 GMT

Countdown to Microsoft Ignite is on! The event starts Tuesday, March 2nd at 8:00 am PT.

If you have not already registered, click here.

We are so excited to have you virtually joining us either live or catching the event on-demand. Our product and engineering teams have been working hard over the past six months to bring you the latest product news and announcements that will be shared during the event. Below is a comprehensive list of all sessions and opportunities to engage with Microsoft experts. There is a lot to explore during Microsoft Ignite, so we hope you take some time to watch, participate and learn!

Security Keynote

Join Vasu Jakkal’s Keynote:

KEY05 | “Security for All” by Vasu Jakkal, CVP SCI (delivered two times):

KEY05 | Tuesday, March 2 | 10:15 AM – 10:45 AM PT
KEY05-R1 | Tuesday, March 2 | 7:45 PM – 8:15 PM PT
ATE-KEY05 | Tuesday, March 2 | 12:00 PM – 12:30 PM PT

Learn how to reduce complexity and defend your organization against business risk with innovations in security, compliance, identity, and management.

Featured Sessions
Featured Sessions (30mins) delivered twice. Did you attend a Featured Session, but still have questions? Join the corresponding Ask the Experts session for a live Q&A with subject matter experts.

Join Joy Chik’s Featured Session:

FS195 | “Azure Active Directory: our identity vision and roadmap for strengthening Zero Trust defenses in the era of hybrid work” by Joy Chik; CVP of Identity (delivered two times):

FS195 | Wednesday, March 3 | 5:00 PM - 5:30 PM PT
FS195-R1 | Thursday, March 2 | 2:30 AM – 3:00AM PT
ATE-FS195 | Wednesday, March 3 | 8:30 PM – 9:00 PM PT

As cyberattacks get more sophisticated, securing hybrid work environments is more complex—and more critical. Adopting a Zero Trust approach and upgrading your identity infrastructure hardens your defenses now and for the long-term. In this demo-heavy, can’t-miss session, we’ll share how Azure AD helps you maximize control while enabling a seamless and secure user experience. Join us to see and learn how to eliminate passwords, simplify onboarding, and secure access to all your apps.

Join Rob Lefferts and Eric Doerr’s Featured Session:

FS197 | “Microsoft Security's roadmap for defending against advanced threats” by Rob Lefferts; CVP of Security and Eric Doerr; VP of Cloud Security (delivered two times):

FS197 | Wednesday, March 3 | 1:00 PM – 1:30 PM PT
FS197-R1 | Wednesday, March 3 | 10:30 PM – 11:00 PM PT
ATE-FS197 | Wednesday, March 3 | 2:00 PM – 2:30 PM PT

Today’s threat landscape continues to grow in complexity, sophistication, and frequency. As advanced attacks emerge, Microsoft is on the frontlines working with customers and partners. We'll share our actionable tips and the latest on technology, including the only integrated SIEM + XDR on the market, to protect your environment from end-to-end and get ahead of adversaries.

Join Alym Rayani’s Featured Session:

FS196 | “Manage risk and secure information across your environment” by Alym Rayani; CVP of Security and Eric Doerr; VP of Cloud Security (delivered two times):

FS196 | Tuesday, March 2 | 4:00 PM – 4:30 PM PT
FS196-R1 | Wednesday, March 3 | 1:30 AM – 2:00 AM PT
ATE-FS196 | Tuesday, March 2 | 5:00 PM – 5:30 PM PT

Organizations have an onslaught of new risks as a result of remote work. Data is now being accessed and stored outside of the traditional borders of business - across endpoints, clouds, and apps. With this massive growth of data, managing risk and securing your sensitive information is critical to digital transformation. Learn how Microsoft’s risk management and compliance solutions enable you to identify and respond to these emerging risks while keeping your most important information safe.

On-demand Sessions

On-demand sessions (30 minutes max) are hosted within the Microsoft Ignite platform and are available to watch anytime during or after the live event concludes. Click the links below to watch:

OD356 | Taking identity and privacy to a new level | Verifiable Credentials with decentralized identity using blockchain
OD357 | Information risks keeping you up at night? Deploy intelligent information protection and data loss prevention
OD358 | Take charge of data governance across your digital landscape
OD359 | Elevating security and efficiency with Azure Sentinel, your cloud-native SIEM
OD360 | Prevent attacks by protecting your applications with Azure Active Directory
OD361 | Don’t get caught off guard by the hidden dangers of insider risks! Secure your sensitive information with Insider Risk Management
OD362 | Zero Trust - The proactive approach to cybersecurity
OD363 | Winning Azure Active Directory strategies for identity security and governance
OD364 | Safeguard your multi-cloud apps and resources with the latest Cloud Security innovations
OD365 | Microsoft Defender: Stop attacks and reduce security operations workload with XDR

Interstitial Programming
Interstitial programming is a content experience, using programmatic elements including live desk, wayfinding, breaking news, social media, attendee-generated content, and keynotes that inform the way attendees think, feel, and makes sense of the event.

These segments will air on the Microsoft Ignite main page periodically throughout the live event. For estimated times of delivery, please see the below.

Approx. AIRTIME	seSSION TITLE
3/2 11:45 AM PT	Zero Trust Methodology
3/2 4:44 PM PT	Mechanics: Passwordless
3/3 4:30 PM PT	Microsoft Security: Building & Learning
3/3 12:00 AM PT	Adversarial Machine Learning is Real: A Security Unlocked Podcast Episode
3/3 1:30 PM PT	What is the Microsoft Intelligent Security Association (MISA)?
3/3 3:03 PM PT	Customer Tech Talk [Ben Walters & Jen Hall]

Opportunities to engage with our security experts

Be sure to join our security experts in the Connection Zone by attending our additional Ask the Experts sessions and by participating in our two Microsoft Learn Live Sessions, scheduling a One-on-one Consult, Intro to Tech Skills, signing up for the Cloud Skill Challenges, and any of our 10 Product Roundtables.

Connection Zone Program	Details
Ask the Experts	ATE109 \| Ask the Experts: Passwordless Deployment ATE110 \| Ask the Experts: Secure your sensitive information with Insider Risk Management ATE111 \| Ask the Experts: Elevating Security and Efficiency with Azure Sentinel, Your Cloud-Native SIEM ATE112 \| Ask the Experts: Zero Trust – The proactive approach to cybersecurity ATE114 \| Ask the Experts: Securing your endpoints with Defender and Microsoft Endpoint Manager ATE115 \| Ask the Experts: Azure Platform Security ATE134 \| Ask the Experts: How can AI make security teams more efficient and strategic?
Learn Live	LRN252: Plan, implement and administer conditional access LRN253: Threat response with Azure Sentinel playbooks
Intro to Tech Skills	Title: Introduction to Security, Compliance and Identity Abstract: Learn about the different Microsoft solutions for managing security in your organization. Microsoft 365 provides a holistic approach to security, helping you to protect identities, data, applications, and devices across on-premises, cloud, and mobile.
Cloud Skills Challenge	1. Identity + Information Protection Admin Challenge a. Maps to Cert SC-300; SC-400 2. Security Operations Analyst Challenge a. Maps to Cert SC-200 Learn more about certifications here
Product Roundtables	Upon registration for a session, you will be required to answer a short survey regarding the topic. You will be notified of your status for the roundtable as soon as your submission is reviewed. Attendance is limited to ensure everyone has an opportunity to contribute to the discussion. To review Product Roundtables Participation terms & conditions, click here. · Topic: Zero Trust: Walking the path · Topic: Identity and access management for services · Topic: Privileged Access management · Topic: Enabling seamless collaboration across technology barriers · Topic: Best practices for managing data security risks and meeting compliance requirements · Topic: What should the Microsoft Compliance Think Tank build next? · Topic: Compliance business priorities and challenges: a discussion · Topic: Microsoft Cloud App Security (MCAS) - A discussion on potential investment areas and a chance to help shape our product direction · Topic: Building Security and Efficiency with Azure Sentinel, your cloud-native SIEM · Topic: CISO Tips for Removing Silos Between IT and OT
One-on-one Consults	Want to have your questions answered by a Microsoft Professional? Schedule a 45-minute consultation where you can engage directly with a security expert. Click the link to begin scheduling your meeting.

Manage meeting space availability with Microsoft Teams Panels

Microsoft_Teams_team — Fri, 26 Feb 2021 16:00:00 GMT

In the new Hybrid Workplace, providing the right digital tools to connect and support employees wherever they are is essential. It supports productivity, engagement, safety, and collaboration. As companies begin to reopen their offices, and conference rooms and meeting spaces become busy again, optimizing how they are utilized will be key to everyone’s success.

Microsoft Teams Panels were announced last October at Ignite 2020 as a new category of devices. They provide a space and time management solution powered by a native Teams experience, running on a compact digital display that can be mounted virtually anywhere. Today, we’re pleased to announce that they’re now generally available.

Supporting the Hybrid Workplace with the right devices in the right places
With Teams Panels, employees can book an available room on the spot or find another time slot and reserve it right from the panel. With vibrant, color-coded LED indicators, it's easy to determine space availability from a distance. And, the intuitive and easy-to-read UI presents space and meeting information, so you can confirm you’re in the right place at the right time.

A popular feature available now is the ad hoc meeting scheduler. Let’s say you and a colleague need to jump on a quick client call. Simply go to the Teams Panel outside a meeting space. If the time slot is not booked, it will appear green. Just tap the screen to instantly book it and the room is yours for the time selected. Teams Panels use the Exchange calendar for the booking of the room, so users can have insight in the meeting space free or busy status at any time.

Teams Panels work with a range of devices
When paired with Microsoft Teams Rooms or Surface Hub devices, users can take advantage of connected device experiences, like booking an ad-hoc Teams meeting on the Panel and joining the same ad-hoc meeting on a Teams Rooms or Surface Hub device.

And while the best end-to-end experience is pairing a Teams panel with another Teams device or Teams Room configuration, you can add a panel outside of any meeting space, allowing users to schedule any room through Outlook or right from the panel itself. All Teams Panels can be centrally provisioned, updated, and monitored from Microsoft Teams Admin Center.

In the coming months, four powerful new features will roll out:

Room Capacity Warning leverages select in-room cameras to detect when the maximum people allowed per room is reached.

Nearby Rooms lets employees view the building floor plan and book another room when a space is unavailable.

Room Check-in Notification sends a message to the in-room display that people in the next meeting are waiting outside.

Remove Unused Scheduled Room identifies and allows for the removal of ‘ghost’ meetings to free up unused meeting space time slots.

Teams Panels are currently available from our partner Crestron and Yealink will release theirs in April, with additional partners to be announced later in the year. Our certified hardware partners deliver optimized touch screen experiences with LED indicators and multiple mounting options, as well as additional sensors that integrate seamlessly with Microsoft Teams.

When an organization licenses Microsoft Teams Room Standard or Microsoft Teams Room Premium, no additional licenses are required for Microsoft Teams Panels. Teams Panel devices are currently sold separately by Crestron and Microsoft.

Bring SSIS ETL lineage into Azure Purview Data Map

Chunhua — Fri, 26 Feb 2021 07:52:26 GMT

Here comes part three in the “ADF/Purview integration” blog series. In this blog we will focus on bringing SSIS ETL linage into Azure Purview. If you want to learn what we covered in part one and two in this series, please go back and check out Analyze root cause and impact using ADF ETL lineage in Azure Purview and Bootstrap ETL process by bringing Azure Purview assets into Azure Data Factory.

Enterprises are increasingly migrating existing SQL Server Integration Services (SSIS) projects and packages from on-premises to Azure for cost reduction as well as scalability and high availability enhancements. With the number of packages often in the hundreds if not thousands, data engineers in charge of operating the ETL process often grapple with the challenge of ensuring the freshness of the produced data and downstream data consumers often wondering whether they can trust the quality of the data for their business-critical reports.

SQL Server Integration Services (SSIS) is now integrated with Azure Purview to address these challenges! You can bring data lineage from Azure Data Factory SSIS Integration Runtime to Azure Purview for root cause analysis and impact analysis.

If you do not have ADF SSIS Integration Runtime, please check out Lift and shift SQL Server Integration Services workloads to the cloud.

The steps below describe how to bring SSIS lineage into Azure Purview.

Step 1: Create an Azure Purview account

Step 2: Connect a Data Factory to Azure Purview

Step 3: Trigger SSIS activity execution in Azure Data Factory

You can run SSIS package with Execute SSIS Package activity or run SSIS package with Transact-SQL in ADF SSIS Integration Runtime.

Once Execute SSIS Package activity finishes the execution, you can check lineage report status from the activity output in Data Factory activity monitor.

Step 4: Now you are ready to browse lineage Information in your Azure Purview account.

You can browse the Data Catalog by choosing asset type “SQL Server Integration Services”.

Alternatively you can also search the Data Catalog using keywords

You can view lineage information for an SSIS Execute Package activity and have the option to open in Data Factory to view/edit the activity settings.

You can choose one data source to drill into how the columns in the source are mapped to the columns in the destination.

More Resources:

Create an Azure Purview account
Connect a Data Factory to Azure Purview
Data Catalog lineage user guide, provides an overview of the data lineage features in Azure Purview Data Catalog.
Azure Data Factory Lineage, gets into the details of the coverage scope and supported lineage patterns.

Bring SSIS ETL lineage into Azure Purview Data Map

Chunhua — Fri, 26 Feb 2021 07:44:47 GMT

If you do not have ADF SSIS Integration Runtime, please check out Lift and shift SQL Server Integration Services workloads to the cloud.

The steps below describe how to bring SSIS lineage into Azure Purview.

Step 1: Create an Azure Purview account

Step 2: Connect a Data Factory to Azure Purview

Step 3: Trigger SSIS activity execution in Azure Data Factory

You can run SSIS package with Execute SSIS Package activity or run SSIS package with Transact-SQL in ADF SSIS Integration Runtime.

Once Execute SSIS Package activity finishes the execution, you can check lineage report status from the activity output in Data Factory activity monitor.

Step 4: Now you are ready to browse lineage Information in your Azure Purview account.

You can browse the Data Catalog by choosing asset type “SQL Server Integration Services”.

Alternatively you can also search the Data Catalog using keywords

You can view lineage information for an SSIS Execute Package activity and have the option to open in Data Factory to view/edit the activity settings.

You can choose one data source to drill into how the columns in the source are mapped to the columns in the destination.

More Resources:

Create an Azure Purview account
Connect a Data Factory to Azure Purview
Data Catalog lineage user guide, provides an overview of the data lineage features in Azure Purview Data Catalog.
Azure Data Factory Lineage, gets into the details of the coverage scope and supported lineage patterns.

Enable Application Setups to Change File Type Associations

hewagen — Fri, 26 Feb 2021 14:39:36 GMT

Tested with Windows 10 1609 up to 20H2

Hey community, this is Helmut Wagensonner, a Customer Engineer for Windows Client platform. Today I show you a way to make file type associations more enterprise ready.

I heard many of my customers complaining that it’s no longer possible to assign file types programmatically to an application (i.e. during the installation of an application). An example: You install Adobe Reader as your desired default PDF reader in your environment. Former, the Adobe Reader setup was able to register itself as default handler for all .PDF files. With Windows 10 this has changed. Applications can add themselves as an optional file handler, but it is no longer possible to programmatically change the default file handler for a certain file type. The final decision of which app opens which file type needs to be made by the user. On one hand this can prevent malicious software from inadvertently registering themselves as a default file handler but on the other hand it can cause inconvenience in Enterprises.

But we didn’t forget about enterprises and added an option to Windows 10 to manage file type associations (FTAs) in an administrative way. In fact, there are two options.

You can create an XML file containing the desired FTA’s and import it using DISM. Those settings are applied during the user profile creation process and allows users to change the settings afterwards. However, this method does not work for existing user profiles. You can find more details here: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/export-or-import-default-application-associations

The second option is to apply this XML file using a Group Policy setting. In this case also existing user profiles are affected from the settings within the XML. That’s pretty much what we need. The only thing remaining is to provide a way for application setups to change this XML file. And this is where this blog post and the attached script can help.

The script I’m providing here adds a bit of dynamics to the file type associations. It supports adding, removing and updating values in the XML file. Here are more details and quick instructions.

Prepare your environment

Your clients need to be joined to an Active Directory, where GPOs can be applied to computers.
Create an empty default file type association XML, which should look like this:
<?xml version="1.0" encoding="UTF-8"?> <DefaultAssociations> </DefaultAssociations>
You can also use a predefined XML, which works with your standard client. In that case make sure that your configuration file only contains extensions you want to modify. You will find examples of how to create association XMLs
<https://docs.microsoft.com/de-de/archive/blogs/windowsinternals/windows-10-how-to-configure-file-associations-for-it-pros> here.
Use your preferred deployment method to push the configuration file to your clients or add it to your master image. Select a local folder, which is readable but not changeable for users. The C:\ProgramData\YourCompany folder would be a good place.
Note: This solution does not work if your configuration XML file is located on an UNC path. It must be stored locally.
Create a GPO which affects all Windows 10 clients and change the setting as shown in the picture. Point the path to the location, where you copied your XML file in the step before.
Add the script provided in this blog post to your desired software installations. You find examples of how to use the script further down the page.

Add script to application deployments

Let’s assume you deploy a video player application, which handles the “.AVI” files. You want the application setup to change the default app for .AVI to this application. To accomplish this, simply run the Powershell script attached to this article after or during the application’s setup, i.e. as a custom action or a script that is triggered in your install.cmd/.ps1).

The following command modifies the local application association XML file. It changes .AVI to the new AppId or adds a new line, if AVI is not yet assigned in the configuration file.

Modify-AppAssocXml.ps1 -Path "C:\ProgramData\YourCompany\AppAssoc.xml" -Extension ".avi" -ProgId "VLC.avi" -AppName "VLC Media Player"

Please note that it requires GPO foreground processing for the settings to take effect. This means that users need to log off/on after the FTA XML has changed.

Command line options

Path is straightforward. It’s the path to your local FTA config file.
Extension is the file type(s) you want to modify or set. You can either specify a single extension or multiple extensions, separated by comma (i.e. “.avi,.mp4,.mpeg”).
ProgID is the path to the application’s ProgId registry key without HKEY_CLASSES_ROOT. Most times this is the path to the open handler in the registry, relative from HKEY_CLASSES_ROOT to the key name before Shell\Open\Command. An Example: The open handler for “notepad.exe” can be found in HKEY_CLASSES_ROOT\Applications\notepad.exe\shell\open\command. The ProgID for Notepad would be Applications\notepad.exe.
AppName is the file description property of the corresponding EXE file. However, this value does not affect the file type association, but it must be set.

Verification and troubleshooting

After running the script and logging off/on the user, you can check the registry for verification. If you changed, for example, the assignment for .AVI files, you should find a registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice\ProgId. The data of this value should be the same as the ProgId specified in your XML. And of course .AVI files should open with the application you assigned it to. If this is not the case, check the event log Microsoft-Windows-Shell-Core/AppDefaults for errors.

Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Experiencing Data Access Issue in Azure portal for Azure Monitor - 02/26 - Resolved

Azure-Monitor-Team — Fri, 26 Feb 2021 08:48:35 GMT

Final Update: Friday, 26 February 2021 08:34 UTC

We've confirmed that all systems are back to normal with no customer impact as of 02/26, 08:11 UTC. Our logs show the incident started on 02/26, 03:25 UTC and that during the 4 hours 45 Minutes that it took to resolve the issue some customers may have experienced data access, data latency and incorrect alert activations in Japan East region.

Root Cause: The failure was due to issue in one of our dependent service.
Incident Timeline: 4 Hours & 45 minutes - 02/26, 03:25 UTC through 02/26, 08:11 UTC

We understand that customers rely on Azure Monitor Service as a critical service and apologize for any impact this incident caused.

-Vamshi

Initial Update: Friday, 26 February 2021 04:57 UTC

We are aware of issues within Log Analytics and are actively investigating. Some customers may experience delayed or missed Log Search Alerts in Japan East region.

Work Around: None
Next Update: Before 02/26 09:00 UTC

We are working hard to resolve this issue and apologize for any inconvenience.
-Vamshi

Task Sequence Bootstrapping - OSD Video Tutorial: Part 26

Yvette O'Meally — Fri, 26 Feb 2021 01:34:52 GMT

Hi everyone, we have added a new video tutorial to the Advanced OSD series. This tutorial highlights the ability to bootstrap a task sequence during client installation. This was introduced in ConfigMgr current branch 2002 and refined in ConfigMgr current branch 2006. The video demonstrates how to use this option when the client is installed on-prem, directly on the internet using the CMG, and through Autopilot. While not specifically part of client bootstrapping, the tutorial also demonstrates and discusses the various authentication options the client can use including self-signed certs, PKI certificates, Azure AD token authentication and new in ConfigMgr 2002, the Bulk Registration Token.

The video linked below was prepared by , a Principal Customer Engineer focused on manageability technologies.

Posts in Advanced OSD.

Go straight to the Advanced OSD playlist

For an overview of the entire series see OSD with Configuration Manager Video Tutorial Series Overview.

10 Reasons to Love Passwordless #6: The Passwordless Funnel

TarekD — Fri, 26 Feb 2021 00:46:27 GMT

In this series, Microsoft identity team members share their reasons for loving passwordless authentication (and why you should too!). Today, Tarek Dawoud, principal program manager, continues this series.

Since we announced our Public Preview of passwordless credential management, we have met with hundreds of customers to discuss the passwordless promise and how to get there. If there’s one consistent theme we’ve heard from customers over the past two years, it’s been that going passwordless makes sense. That's what I love about passwordless. They absolutely believe in the promise, the technology, and the standards backing it. They see that it’s the right investment to truly rely on enterprise security for user accounts and credentials.

The other theme we’ve also heard is that customers need guidance and help on how to plan their passwordless journey. Since passwords have been around since the inception of computing, this is a new undertaking for most customers and with the passwordless journey being closely tied to the cloud journey, many customers are seeking a blueprint or roadmap.

I am here to share more about the journeys that some of our most successful passwordless customers, including Microsoft ourselves, have taken, and what we have learned from them. The first step on the journey is to understand and start planning for the “Passwordless Funnel” as illustrated in the image below:

Passwordless Funnel:

Presence in Azure AD: Recognize that the cloud is where passwordless innovation is happening, whether it’s WebAuthN or enhancements in token protection, the modern protocols and standards are where the battle can be won. Trying to go passwordless while relying on on-premises legacy technologies that have the password embedded in their fabric is counter-productive. While legacy applications will be around (and the solution should allow them to continue to work), the speed of the cloud is so much more suited for iterating on passwordless than hoping for server products to keep up.
Moving your Apps to Azure AD: The majority of users day-to-day apps should be modernized apps that do OAuth2.0 or SAML authentication and authorization. This is true for all Microsoft 365 apps, but we also want you to The more apps under Azure AD, the more bang for your passwordless buck. For developers, we now have guidance on how to make sure your apps are passwordless ready.
Device and platform readiness: This is one area that customers may overlook. To enable Windows Hello for Business with the best feature set for passwordless integration, we recommend Windows 20H1 or higher. Customers will likely need time to get on a current build of Windows. Customers using FIDO2 keys need to also get themselves familiar with the Azure AD FIDO2 Supportability matrix for operating system and browser support. Device readiness also includes what FIDO hardware you may need, and which vendors provide the functionality and features customers may need. This matrix is an ever evolving page as more software and hardware vendors add support for FIDO2, so watch this space.
Enable secure bootstrapping of Passwordless: A strong credential created with a single weak credential compromises the overall credential. As your users onboard to passwordless credentials (Windows Hello for Business - WHFB, Passwordless Phone Sign in or FIDO2 keys) they must use strong authentication to register these credentials. Today, this means they must be registered for Azure AD MFA following our best practices . Soon, we’ll add a way for employees to register a passwordless credential without needing a traditional MFA method first. To keep up with the newest updates keep following this series.
Registering the new passwordless credentials: Create campaigns and awareness to enroll targeted user groups into the new credentials. Today, we have over 4 million users actively using WHFB as their primary credential on Azure AD. WHFB, enrollment can be completed on existing devices or simply by acquiring a new device. For FIDO2 and Passwordless Phone Sign in, you can scope rollout campaigns using the guidance in our deployment guide.

Putting it all together

So, as you start your passwordless journey… What can you do today? What can you start in a month? And what do you have to start working on this year? This journey map (shown below) is built based on our deployment journey at Microsoft as well as hundreds of passwordless deployments with our customers, we hope you will find it valuable.

Check out the other posts in this series:

10 Reasons to Love Passwordless #1: FIDO Rocks
10 Reasons to Love Passwordless #2: NIST Compliance
10 Reasons to Love Passwordless #3: Why biometrics and passwordless are a dream combination
10 Reasons to Love Passwordless #4: Secure your digital estate, while securing your bottom line
10 Reasons to Love Passwordless #5: The ease and use and portability of security keys

Learn more about Microsoft identity:

Return to the Azure Active Directory Identity blog home
Join the conversation on Twitter and LinkedIn
Share product suggestions on the Azure Feedback Forum

Business Email: Uncompromised – Part Two

Giulian Garruba — Thu, 25 Feb 2021 23:33:28 GMT

This blog is part two of a three-part series focused on business email compromise.

In the previous blog in this series, we described the components of a classic (or single stage) BEC attack and showed how Microsoft Defender for Office 365 helps you protect against them. In this post, we will look at how BEC attacks have evolved and how new capabilities in Defender for Office 365 provide additional security layers to keep your organizations safe against these evolving patterns.

Understanding Evolving BEC Attack Patterns

In recent years, we have seen BEC attacks grow more complex and now involve multiple stages. Here is how they work:

Once the attacker has identified the target organization, they attempt to compromise the email account of the victim through techniques like credential phishing or reusing previously leaked passwords.
The attacker subsequently sets up a forwarding rule on the victim’s email account. This enables the attacker to conduct reconnaissance on the target and monitor new emails from partners or vendors, typically those that involve a financial exchange.
Once a transaction of interest is identified, the attacker inserts themselves in the middle of an active email conversation through the tactics we described in our previous blog: using either user or domain impersonation, or a domain spoofing attack. The idea is to dupe the victim into trusting the attacker (who’s posing as the trusted vendor) and taking specific actions. The attacker can carry out multiple parallel conversations posing as one entity to another.
Finally, the attacker modifies the wire transfer or financial transaction details, leading the victim to process a fake invoice.

Figure 1: The stages of multi-stage BEC attacks

In recent months, we have updated Defender for Office 365 in multiple ways to help customers secure themselves against each stage of these evolving attack patterns.

Preventing Credential Phishing & Account Compromise

In the stages we discussed above, the first step is typically account compromise using a tactic like credential phishing. To block credential phishing mails, Defender for Office 365 is constantly updating its multi-layered email filtering stack which includes capabilities such as Safe Links, Safe Attachments and multiple machine learning models that scan and sandbox emails, files, and URLs to detect credential harvesting sites and block them. Additionally, Safe Links provides time-of-click protection for links in emails and is integrated into Office apps like Word, Excel and PowerPoint, to block exposure to malicious sites. Safe Links capabilities are available for both mails that come from outside your organization and internal mails within your organization. Defender for Office 365 is the only solution that can provide internal email protection within the compliance boundary of Office 365. No need to journal mails to external systems or grant mailbox access to external services.

We have also recently updated our machine learning models that detect anomalous account behavior and trigger alerts. You can learn more about how Defender for Office 365 identifies, automatically investigates, and remediates compromised user accounts.

Office 365 customers that leverage Azure Active Directory for identity access management can configure security defaults that enable Multi-Factor Authentication and disable legacy authentication for your Office 365 environment. This eliminates risk of password spray and account compromise in more than 99.9% of cases.

External Email Forwarding in Office 365 Now Disabled by Default

As we move to the next step in the typical multi-stage attack, we must turn our attention to external forwarding. External forwarding allows attackers to establish persistence and learn more about their victims. We have rolled out a new option in the outbound spam policy that disables external forwarding by default. Additionally, to help our customers get to a secure posture, this policy has been retroactively applied to existing Office 365 mailboxes. This has helped disrupt any existing compromised accounts and BEC activities.

For legitimate scenarios that require email forwarding, administrators can create custom policies and enable forwarding for select mailboxes, while keeping it disabled for the rest of their users. You can learn more about controlling external forwarding in Defender for Office 365 here.

Figure 2: Configure automatic forwarding in the outbound spam policy

New and Improved Suspicious Forwarding Alerts

In addition to disabling external forwarding by default, Defender for Office 365 has introduced a new alert that detects suspicious forwarding related activity. The alert can warn administrators when suspicious forwarding activity is detected and enables them to conduct further investigation, remediate the account, and prevent any suspicious wire transfer activities.

Figure 3: Suspicious email forwarding activity alerts

Tools to Improve User Awareness

Employees are an organization’s greatest asset, but they are also susceptible to falling prey to these evolving attacks. An important way to strengthen your defenses against all cyber threats is through user awareness.

For awareness programs to be successful, they must offer intuitive learning moments for your employees. What differentiates Microsoft from all other email security vendors is our ability to natively integrate security features into the products like Outlook and Office 365 apps. This integration provides both protection and awareness for your users.

New Safety Tips Options

Defender for Office 365 already provides various safety tips that are shown to end users of an email to enhance user awareness. We recently launched a new safety tip that enables email users to self-detect suspicious emails based on a signal related to first time contact between a sender and recipient(s).

If you receive an email from a sender for the first time or do not often get emails from this sender, you will see a safety tip displayed in your Outlook client as shown below to warn you that this email might be suspicious.

Figure 4: First contact safety tip warns users of suspicious email

Imagine being in the middle of an email chain with your business partner or vendor and receiving this warning message. That is a strong indicator of a potential business email compromise attempt. This capability adds an extra layer of security protection and creates awareness for users against such attacks.

You can learn more about configuring first contact safety tips in your Office 365 tenant.

Native Link Rendering

Phishing trainings usually educate users to verify links in email apps by hovering over these links to reveal their destination. Many email security products rewrite these URLs, making it difficult for users to decipher the destination URL and reducing the value of the training. Safe Links in Defender for Office 365 goes beyond rewriting URLs and natively integrates with Outlook and Office 365 apps. Native link rendering allows users to see the destination URL when they hover over the link, but still protects them from malicious links by evaluating these links at time-of-click. This capability is unique to Defender for Office 365, and its native integrations with Office apps preserve your investments in phishing and user awareness training.

Attack Simulation & Training

It's critical that your end users are trained to spot suspicious messages and the indicators we’ve discussed so far, and the most effective way to train your users is to emulate real threats with intelligent simulations. In January we announced the general availability of Attack simulation training in Microsoft Defender for Office 365. Rebuilt from the ground up, Attack simulation training enables customers to train their employees to recognize red flags that might indicate a business email compromise attack. Industry-leading training from Terranova Security caters to diverse learning styles, engaging employees in defending the organization. You can learn more about these new capabilities here.

Figure 5: Attack simulation training engages employees in defending the organization

Coming up in Part 3….

In this blog we covered several ways that Microsoft Defender for Office 365 has been updated to help prevent evolving business email compromise attacks. We encourage readers to review these new capabilities and enable them in their environments.

In the next post in this series, we will look at the impact of these protections and the work we are doing outside the product in partnership with other security teams at Microsoft to further secure our customers. We’ll wrap up the series with best practice recommendations to ensure your organization stays protected against business email compromise attacks. Stay tuned!

Sync Up – a OneDrive podcast : Episode 18, “Better together: Teams+ OneDrive”

Ankita Kirti — Thu, 25 Feb 2021 20:36:31 GMT

Sync Up is your monthly podcast hosted by the OneDrive team taking you behind the scenes of OneDrive, shedding light on how OneDrive connects you to all your files in Microsoft 365 so you can share and work together from anywhere. You will hear from experts behind the design and development of OneDrive, as well as customers and Microsoft MVPs. Each episode will also give you news and announcements, special topics of discussion, and best practices for your OneDrive experience.

So, get your ears ready and Subscribe to Sync up podcast!

In episode 18 , cohosts Jason Moore and Ankita Kirti talk with Cory Kincaid, a Customer Success Manager for Modern Work, who advises customers on how to use technologies like Teams and OneDrive to improve their business.

To learn more about this check out our latest blog - Better together: Accomplish more during the day with Teams + OneDrive

You'll also get guidance on how to combat current workplace issues like "employee burnout" and "screen fatigue" as well as find out the team's favorite article of "pandemic clothing."

Tune in!

Meet your show hosts and guests for the episode:

Jason Moore is the Principal Group Program Manager for OneDrive and the Microsoft 365 files experience. He loves files, folders, and metadata. Twitter: @jasmo

Ankita Kirti is a Product Manager on the Microsoft 365 product marketing team responsible for OneDrive for Business. Twitter: @Ankita_Kirti21

Cory Kincaid is a Customer Success Manager for Modern Work, who advises customers on how to use technologies like Teams and OneDrive to improve their business productivity.

Additional guests:

Ryan Voelki and Tatyanah Castillo, also customer success managers for Modern Work, who take a #HumansFirst approach to helping customers navigate their digital transformation.

Quick links to the podcast

Main show page
Apple Podcasts
RSS
Stitcher
Spotify
Google
TuneIn
Listen and subscribe to other Microsoft podcasts at aka.ms/microsoft/podcasts

Links to resources mentioned in the show:

What's new in Microsoft Teams aka.ms/teamsresources
Do it on Teams [training] aka.ms/doitonteams
Exploring the Science of Work and Ingenuity: WorkLab: Vital facts about the future of work. (microsoft.com)
Welcome to Microsoft Teams | Microsoft Docs
Creating customized meetings experiences with apps in Microsoft Teams - Microsoft Tech Community
Tips for Teams meetings (Video)
OneDrive Tech Community Blog
OneDrive On-Demand - a one stop shop for all the podcast, webinar and customer evidence related to OneDrive.
Microsoft Docs - The home for Microsoft documentation for end users, developers, and IT professionals.
Microsoft Tech Community Home
M365 Roadmap
Microsoft Ignite the tour
Stay on top of Office 365 changes

Be sure to visit our show page to hear all the episodes, access the show notes, and get bonus content. And stay connected to the OneDrive community blog where we’ll share more information per episode, guest insights, and take any questions from our listeners and OneDrive users. We, too, welcome your ideas for future episodes topics and segments. Keep the discussion going in comments below.

As you can see, we continue to evolve OneDrive as a place to access, share, and collaborate on all your files in Office 365, keeping them protected and readily accessible on all your devices, anywhere. We, at OneDrive, will shine a recurring light on the importance of you, the user. We will continue working to make OneDrive and related apps more approachable. The OneDrive team wants you to unleash your creativity. And we will do this, together, one episode at a time.

Thanks for your time reading and listening to all things OneDrive,

Ankita Kirti – OneDrive | Microsoft

Better together: Accomplish more during your day with Teams + OneDrive

Ankita Kirti — Thu, 25 Feb 2021 20:06:33 GMT

For most people, remote work—whether part-time or full-time—is the new way of working. That’s why over 115 million daily users rely on Microsoft Teams to connect and collaborate, and also why Teams was recognized as a Leader in the Gartner Magic Quadrant for Unified Communications as a Service. We designed Teams, your digital hub for teamwork, and OneDrive, your personal cloud storage that lets you access your files from anywhere, to work seamlessly and securely together. You can use Microsoft 365 Apps including Word, PowerPoint, Excel, or OneNote notebooks to create your work, store those files using OneDrive, and share them securely with colleagues in Teams, where you can co-author documents, meet with your teammates, and chat or meet with people inside or outside organization, all in one place.

Imagine a day in the life using Teams + OneDrive

Let’s walk through a day of using OneDrive and Teams together for work. You’re preparing a PowerPoint presentation for a conference call with an important client, Contoso, later in the week. In the morning, you open Teams and select the Files list, which shows you Recent files you’ve been working on, your Microsoft Teams files, and Downloads, as well as any cloud storage services connected with Teams. OneDrive is the default files app for Microsoft 365. When you click on OneDrive, you can see all your individual files for work. You can quickly add, upload, and sync files right in Teams, or open in them directly OneDrive.

In the OneDrive view, you navigate to a folder called “Contoso Electronics” and open the Contoso Electronics Sales presentation draft you’ve been working on and recently shared with your manager for review via chat in Teams. When you share your OneDrive files in chat, each file has unique permissions granted based on the person or people in the chat—that way, you don’t have to worry about unintended recipients accessing your content.

After you’ve reviewed your manager’s edits and updated the presentation, you decide it’s ready for the whole team to review. Your department has a team called “ Contoso” where you share and manage all deliverables for the client. Whenever a team is created, a corresponding Microsoft 365 Group and SharePoint shared library are also automatically created. All the files created in or uploaded to your Contoso folder are stored and backed up in the SharePoint library. You copy the presentation from your OneDrive to the documents folder within Contoso team and then select the Posts tab to leave a message to let everyone on your team know the file is ready for review. Leveraging OneDrive you can sync all the files in the Contoso shared library directly to your device so you can work on them while offline.

Due to the deep integration between OneDrive, Teams, and Office, your team can select from a variety of tools to annotate, highlight, and comment on content. They can use @mentions to flag comments and tasks for you or other reviewers, and they can also track version history and restore previous file versions as needed. And because all edits are synced and stored in the cloud, they can start editing a document on one device and finish it on another. When the afternoon team meeting to review the presentation begins, everyone can easily access the file to review each other’s comments and use co-authoring to finish editing the presentation together in real time.

Later in the day, you’ve scheduled focus time to work on a project outlining the go-to market plan for a new product series. A co-worker has already started the outline and uploaded the document to the Go-To Market channel in Teams. You decide to work on the document at a park near your house, so you take your tablet. Since you had already added a shortcut to the Go To Market shared library using the Add to OneDrive feature, which brings all your shared content from OneDrive, Teams, and SharePoint into one place , you can swiftly fetch the outline and start working on the same right within your OneDrive app. You also realize that several GTM deliverables are missing approved vendor contracts. Using the file request feature in OneDrive you create an upload-only link and share the same in your “Partner Program“ team which consists of all your suppliers as guests members. This enables each vendor to upload their proposed scope of work directly to your OneDrive in a location that you chose—without having visibility to the other files in the folder.

Share files and collaborate securely, with peace of mind

While popular online storage apps integrate with Teams so you can access and share files, OneDrive provides a more secure sharing experience to help control data leakage and access to sensitive company information. Having your content in OneDrive enables you to share files as a link, internally and externally, so that every recipient has access to the most updated version. Depending on how your IT organization has configured sharing permissions in OneDrive and SharePoint, you can set permissions for who can access that link—anyone, people only inside the organization, specific people or people in the Teams group chat—and whether they can view or edit the file. You can also set expiration dates (for example, for outside vendors you don’t want accessing files or folders past a certain date) or set passwords to protect sensitive company or employee information. Blocking downloads on files also prevents recipients from saving files to their computers.

Sharing integration in Microsoft Teams

Work confidently, knowing that IT can protect your data

Exposure of sensitive company or client information can have serious legal and compliance implications. Today’s remote working environment can heighten these worries for IT, because people need to share information outside the bounds of a protected company environment. Teams and OneDrive not only provide coherent collaborative experiences for you but also bring consistency for the admins as they maintain the productivity apps. Instead of managing multiple third-party tools in silo the seamless integration between Teams and OneDrive empower admins to set governance and compliance policies at an organization level that can be extended to both OneDrive and Teams.

To keep you protected, IT can configure secure sharing policies in OneDrive which automatically gets adopted by Teams, ensuring you have the tools you need to collaborate securely and consistently.

IT can also use Microsoft Information Protection to create policies for automatic classification of sensitive data, so if you create a document that contains sensitive client data, that document will automatically be classified by the system and encrypted for additional protection. This takes the burden of worrying about security off you, letting you focus on getting work done. Using information barriers, IT can also restrict communication and collaboration in Teams or OneDrive between two departments or segments to avoid a conflict of interest from occurring or between certain people to safeguard internal information.

IT can also keep an eye on how you and your team interact with shared content, adding an extra layer of security and control. Through detailed audit logs and reports available in the Microsoft 365 Security and Compliance Center, IT can trace OneDrive activity at the folder, file, and user levels, so they can see at a glance if any unauthorized users have tried to access sensitive company or client information. Every user action, including changes and modifications made to files and folders, is recorded for a full audit trail. In addition, even remotely, IT has the device visibility and control that’s especially important for thwarting breaches and ransomware attacks.

To learn more about why Teams and OneDrive are better together and how you can streamline your workday, check out our latest episode on Sync Up- a OneDrive podcast where we talk with Cory Kincaid, a Customer Success Manager for Modern Work, who advises customers on how to use technologies like Teams and OneDrive to improve their business.

Thank you for your time reading all about OneDrive,

Ankita Kirti

OneDrive

Ombromanie: Creating Hand Shadow stories with Azure Speech and TensorFlow.js Handposes

jelooper — Thu, 25 Feb 2021 19:09:52 GMT

Have you ever tried to cast hand shadows on a wall? It is the easiest thing in the world, and yet to do it well requires practice and just the right setup. To cultivate your #cottagecore aesthetic, try going into a completely dark room with just one lit candle, and casting hand shadows on a plain wall. The effect is startlingly dramatic. What fun!

Even a tea light suffices to create a great effect

In 2020, and now into 2021, many folks are reverting back to basics as they look around their houses, reopening dusty corners of attics and basements and remembering the simple crafts that they used to love. Papermaking, anyone? All you need is a few tools and torn up, recycled paper. Pressing flowers? All you need is newspaper, some heavy books, and patience. And hand shadows? Just a candle.

This TikTok creator has thousands of views for their handshadow tutorials

But what's a developer to do when trying to capture that #cottagecore vibe in a web app?

High Tech for the Cottage

While exploring the art of hand shadows, I wondered whether some of the recent work I had done for body poses might be applicable to hand poses. What if you could tell a story on the web using your hands, and somehow save a video of the show and the narrative behind it, and send it to someone special? In lockdown, what could be more amusing than sharing shadow stories between friends or relatives, all virtually?

Hand shadow casting is a folk art probably originating in China; if you go to tea houses with stage shows, you might be lucky enough to view one like this!

A Show Of Hands

When you start researching hand poses, it's striking how much content there is on the web on the topic. There has been work since at least 2014 on creating fully articulated hands within the research, simulation, and gaming sphere:

MSR throwing hands

There are dozens of handpose libraries already on GitHub:

There are many applications where tracking hands is a useful activity:

• Gaming
• Simulations / Training
• "Hands free" uses for remote interactions with things by moving the body
• Assistive technologies
• TikTok effects :trophy:
• Useful things like Accordion Hands apps

One of the more interesting new libraries, handsfree.js, offers an excellent array of demos in its effort to move to a hands free web experience:

Handsfree.js, a very promising project

As it turns out, hands are pretty complicated things. They each include 21 keypoints (vs PoseNet's 17 keypoints for an entire body). Building a model to support inference for such a complicated grouping of keypoints has provenn challenging.

There are two main libraries available to the web developer when incorporating hand poses into an app: TensorFlow.js's handposes, and MediaPipe's. HandsFree.js uses both, to the extent that they expose APIs. As it turns out, neither TensorFlow.js nor MediaPipe's handposes are perfect for our project. We will have to compromise.

TensorFlow.js's handposes allow access to each hand keypoint and the ability to draw the hand to canvas as desired. HOWEVER, it only currently supports single hand poses, which is not optimal for good hand shadow shows.
MediaPipe's handpose models (which are used by TensorFlow.js) do allow for dual hands BUT its API does not allow for much styling of the keypoints so that drawing shadows using it is not obvious.

One other library, fingerposes, is optimized for finger spelling in a sign language context and is worth a look.

Since it's more important to use the Canvas API to draw custom shadows, we are obliged to use TensorFlow.js, hoping that either it will soon support multiple hands OR handsfree.js helps push the envelope to expose a more styleable hand.

Let's get to work to build this app.

Scaffold a Static Web App

As a Vue.js developer, I always use the Vue CLI to scaffold an app using vue create my-app and creating a standard app. I set up a basic app with two routes: Home and Show. Since this is going to be deployed as an Azure Static Web App, I follow my standard practice of including my app files in a folder named app and creating an api folder to include an Azure function to store a key (more on this in a minute).

In my package.json file, I import the important packages for using TensorFlow.js and the Cognitive Services Speech SDK in this app. Note that TensorFlow.js has divided its imports into individual packages:

"@tensorflow-models/handpose": "^0.0.6",
"@tensorflow/tfjs": "^2.7.0",
"@tensorflow/tfjs-backend-cpu": "^2.7.0",
"@tensorflow/tfjs-backend-webgl": "^2.7.0",
"@tensorflow/tfjs-converter": "^2.7.0",
"@tensorflow/tfjs-core": "^2.7.0",
...
"microsoft-cognitiveservices-speech-sdk": "^1.15.0",

Set up the View

We will draw an image of a hand, as detected by TensorFlow.js, onto a canvas, superimposed onto a video suppled by a webcam. In addition, we will redraw the hand to a second canvas (shadowCanvas), styled like shadows:

<div id="canvas-wrapper column is-half">
<canvas id="output" ref="output"></canvas>
    <video
        id="video"
        ref="video"
        playsinline
        style="
          -webkit-transform: scaleX(-1);
           transform: scaleX(-1);
           visibility: hidden;
           width: auto;
           height: auto;
           position: absolute;
         "
    ></video>
 </div>
 <div class="column is-half">
    <canvas
       class="has-background-black-bis"
       id="shadowCanvas"
       ref="shadowCanvas"
     >
    </canvas>
</div>

Load the Model, Start Keyframe Input

Working asynchronously, load the Handpose model. Once the backend is setup and the model is loaded, load the video via the webcam, and start watching the video's keyframes for hand poses. It's important at these steps to ensure error handling in case the model fails to load or there's no webcam available.

async mounted() {
    await tf.setBackend(this.backend);
    //async load model, then load video, then pass it to start landmarking
    this.model = await handpose.load();
    this.message = "Model is loaded! Now loading video";
    let webcam;
    try {
      webcam = await this.loadVideo();
    } catch (e) {
      this.message = e.message;
      throw e;
    }

    this.landmarksRealTime(webcam);
  },

Setup the Webcam

Still working asynchronously, set up the camera to provide a stream of images

async setupCamera() {
      if (!navigator.mediaDevices || !navigator.mediaDevices.getUserMedia) {
        throw new Error(
          "Browser API navigator.mediaDevices.getUserMedia not available"
        );
      }
      this.video = this.$refs.video;
      const stream = await navigator.mediaDevices.getUserMedia({
        video: {
          facingMode: "user",
          width: VIDEO_WIDTH,
          height: VIDEO_HEIGHT,
        },
      });

      return new Promise((resolve) => {
        this.video.srcObject = stream;
        this.video.onloadedmetadata = () => {
          resolve(this.video);
        };
      });
    },

Design a Hand to Mirror the Webcam's

Now the fun begins, as you can get creative in drawing the hand on top of the video. This landmarking function runs on every keyframe, watching for a hand to be detected and drawing lines onto the canvas - red on top of the video, and black on top of the shadowCanvas. Since the shadowCanvas background is white, the hand is drawn as white as well and the viewer only sees the offset shadow, in fuzzy black with rounded corners. The effect is rather spooky!

async landmarksRealTime(video) {
      //start showing landmarks
      this.videoWidth = video.videoWidth;
      this.videoHeight = video.videoHeight;

      //set up skeleton canvas
      this.canvas = this.$refs.output;
      ...

      //set up shadowCanvas
      this.shadowCanvas = this.$refs.shadowCanvas;
      ...

      this.ctx = this.canvas.getContext("2d");
      this.sctx = this.shadowCanvas.getContext("2d");

      ...

      //paint to main

      this.ctx.clearRect(0, 0, this.videoWidth, 
  this.videoHeight);
      this.ctx.strokeStyle = "red";
      this.ctx.fillStyle = "red";
      this.ctx.translate(this.shadowCanvas.width, 0);
      this.ctx.scale(-1, 1);

      //paint to shadow box

      this.sctx.clearRect(0, 0, this.videoWidth, this.videoHeight);
      this.sctx.shadowColor = "black";
      this.sctx.shadowBlur = 20;
      this.sctx.shadowOffsetX = 150;
      this.sctx.shadowOffsetY = 150;
      this.sctx.lineWidth = 20;
      this.sctx.lineCap = "round";
      this.sctx.fillStyle = "white";
      this.sctx.strokeStyle = "white";

      this.sctx.translate(this.shadowCanvas.width, 0);
      this.sctx.scale(-1, 1);

      //now you've set up the canvases, now you can frame its landmarks
      this.frameLandmarks();
    },

For Each Frame, Draw Keypoints

As the keyframes progress, the model predict new keypoints for each of the hand's elements, and both canvases are cleared and redrawn.

      const predictions = await this.model.estimateHands(this.video);

      if (predictions.length > 0) {
        const result = predictions[0].landmarks;
        this.drawKeypoints(
          this.ctx,
          this.sctx,
          result,
          predictions[0].annotations
        );
      }
      requestAnimationFrame(this.frameLandmarks);

Draw a Lifelike Hand

Since TensorFlow.js allows you direct access to the keypoints of the hand and the hand's coordinates, you can manipulate them to draw a more lifelike hand. Thus we can redraw the palm to be a polygon, rather than resembling a garden rake with points culminating in the wrist.

Re-identify the fingers and palm:

     fingerLookupIndices: {
        thumb: [0, 1, 2, 3, 4],
        indexFinger: [0, 5, 6, 7, 8],
        middleFinger: [0, 9, 10, 11, 12],
        ringFinger: [0, 13, 14, 15, 16],
        pinky: [0, 17, 18, 19, 20],
      },
      palmLookupIndices: {
        palm: [0, 1, 5, 9, 13, 17, 0, 1],
      },

...and draw them to screen:

    const fingers = Object.keys(this.fingerLookupIndices);
      for (let i = 0; i < fingers.length; i++) {
        const finger = fingers[i];
        const points = this.fingerLookupIndices[finger].map(
          (idx) => keypoints[idx]
        );
        this.drawPath(ctx, sctx, points, false);
      }
      const palmArea = Object.keys(this.palmLookupIndices);
      for (let i = 0; i < palmArea.length; i++) {
        const palm = palmArea[i];
        const points = this.palmLookupIndices[palm].map(
          (idx) => keypoints[idx]
        );
        this.drawPath(ctx, sctx, points, true);
      }

With the models and video loaded, keyframes tracked, and hands and shadows drawn to canvas, we can implement a speech-to-text SDK so that you can narrate and save your shadow story.

To do this, get a key from the Azure portal for Speech Services by creating a Service:

You can connect to this service by importing the sdk:

import * as sdk from "microsoft-cognitiveservices-speech-sdk";

...and start audio transcription after obtaining an API key which is stored in an Azure function in the /api folder. This function gets the key stored in the Azure portal in the Azure Static Web App where the app is hosted.

async startAudioTranscription() {
      try {
        //get the key
        const response = await axios.get("/api/getKey");
        this.subKey = response.data;
        //sdk

        let speechConfig = sdk.SpeechConfig.fromSubscription(
          this.subKey,
          "eastus"
        );
        let audioConfig = sdk.AudioConfig.fromDefaultMicrophoneInput();
        this.recognizer = new sdk.SpeechRecognizer(speechConfig, audioConfig);

        this.recognizer.recognized = (s, e) => {
          this.text = e.result.text;
          this.story.push(this.text);
        };

        this.recognizer.startContinuousRecognitionAsync();
      } catch (error) {
        this.message = error;
      }
    },

In this function, the SpeechRecognizer gathers text in chunks that it recognizes and organizes into sentences. That text is printed into a message string and displayed on the front end.

Display the Story

In this last part, the output cast onto the shadowCanvas is saved as a stream and recorded using the MediaRecorder API:

const stream = this.shadowCanvas.captureStream(60); // 60 FPS recording
      this.recorder = new MediaRecorder(stream, {
        mimeType: "video/webm;codecs=vp9",
      });
      (this.recorder.ondataavailable = (e) => {
        this.chunks.push(e.data);
      }),
        this.recorder.start(500);

...and displayed below as a video with the storyline in a new div:

      const video = document.createElement("video");
      const fullBlob = new Blob(this.chunks);
      const downloadUrl = window.URL.createObjectURL(fullBlob);
      video.src = downloadUrl;
      document.getElementById("story").appendChild(video);
      video.autoplay = true;
      video.controls = true;

This app can be deployed as an Azure Static Web App using the excellent Azure plugin for Visual Studio Code. And once it's live, you can tell durable shadow stories!

Try Ombromanie here. The codebase is available here

Take a look at Ombromanie in action:

Learn more about AI on Azure
Azure AI Essentials Video covering speech and language
Azure free account sign-up

AKS-HCI Now Supports Strong Authentication Using Active Directory Credentials

slahiri — Thu, 25 Feb 2021 19:05:01 GMT

Overview

AKS-HCI , short for Azure Kubernetes Service on Azure Stack HCI is an on-premises Microsoft supported Kubernetes offering. AKS-HCI is built of and consistent with open-source Kubernetes offering. AKS-HCI simplifies on-premises Kubernetes deployment by offering a automated and standardized approach to deploying and managing Kubernetes clusters.

AKS-HCI provides consistency with Azure Kubernetes Service as much as possible in feature and operational details. This presents choices for deploying on-premises workloads and simplifies instrumentation of workload mobility between cloud and the edge.

AKS-HCI is designed from the get-go with security as one of its principal value propositions. An earlier blog written by my colleague, provides an overview of the security story for AKS-HCI.

As shown in the diagram above, the AKS-HCI security model follows least privilege principal. The all-powerful management cluster, the cluster used to create the workload clusters (also called resource clusters) is managed by handful of administrators and access to it is limited. Direct access to container host (think ability to SSH) is not allowed.

Each resource (workload) cluster deploys one or more virtual machine serving as container host for the workload cluster. The container host runs the control plane and the worker pods. Virtual machines provide strong kernel level isolation and contain the blast radius by preventing malware from escaping out to the host and affecting other workload clusters. Administrators also have the option to create separate physical clusters.

Finally, the containers themselves running within the virtual machine are process isolated with their respective resources and namespaces.

AKS-HCI Built with Strong Identity & Access Management Foundation

AKS-HCI supports both AD (Active Directory) and AAD (Azure Active Directory) identities. Connectivity to AKS-HCI via AAD identity is instrumented via Azure Arc integration. Starting February as part of the public preview, AKS-HCI will be supporting authentication and Single Sign On via AD (Active Directory) identity using kubectl

AD (Active Directory) Authentication provides several advantages over using certificate-based client authentication.

Kubernetes (a.k.a. K8S) uses configuration (referred as “kubeconfig”) stored on the client machine to connect to the api-server. This configuration contains authentication information to connect to the api-server. Any interaction with the K8 cluster happens via the api-server, one can think of having access to the api-server as having keys to the K8 kingdom. Hence access to the api-server that is built on strong identity and access management foundation is critical to securing your K8 deployment.

Kubernetes offers various options to connect to the api-server, of those the configuration used to connect to the api-server using AD identity is the most secure, this is primarily because AD kubeconfig (think of AD kubeconfig as a type of kubeconfig) does not hold any secret that can potentially be used to compromise access to the api-server.

By default, AKS-HCI uses “certificate” based kubeconfig to connect clients to the api-server. The certificate based kubeconfig contains authentication information such as private keys. If malware or attacker gets access to this configuration file, they will be able to get access to the api-server and that would be like getting keys to the kingdom. As mentioned, earlier, by contrast the AD kubeconfig does not hold any secret and merely having possession of AD kubeconfig does not grant access to the cluster. Eliminating the need to safely distribute kubeconfig improves security and efficiency, directly attributable to significant cost savings.

AD kubeconfig complements the “certificate” based kubeconfig, while certificate based kubeconfig is available to a select group of admins and used to connect to the cluster for initial provisioning (including setting up AD integration), the AD kubeconfig can be freely distributed without any security concerns to a wider group of users. An important distinction to note, unlike static configuration e.g. certificate based kubeconfig where users with the same configuration will always resolve to the same privileges, AD kubeconfig dynamically resolves privileges based on the user context it is applied.

Another benefit is the representation of identities in SID format, the human friendly group names in the role binding definition are stored in the SID format as K8 CRD. This provides protection against any human error in representing group names and naming conflicts or collisions as the group names need to resolve to corresponding SIDs in the domain server before access is granted. A related extension to this is the ability to represent AD groups in the RBAC role bindings, more on that in later part.

The windows server or the container host does not need to be domain joined for AD Authentication to work as long as the domain server and container host are time synchronized.

Lastly, integration with Active Directory provide the opportunity to take advantage of Microsoft Defender for Identity to detect advanced threat attacks. You may follow this link to find out more about how to set up Microsoft Defender for Identity.

Let's now dive a bit into the trenches on AD integration works under the hood.

How it Works Under the Hood

The underlying implementation uses Kerberos protocol and requires Active Directory domain joined windows client. The client authenticates to the server (in our case K8 api-server) using Kerberos protocol. A few things need to be set up before the cluster can accept AD credentials for Authentication.

As shown in the diagram, an AD account for the api-server and corresponding SPN (service principal name) should be created on the AD domain server, the AD domain server also acts as the key distribution center. Next, a "keytab" corresponding to the the SPN needs to be generated.

Keytab contains symmetric encryption keys used to decrypt service tickets, the service ticket is presented to the api-server from the client machine.

These service tickets represent AD groups in SID format that is provided to the client upon successful authentication to the domain server. More details to follow on this flow.

A tool like ktpass (for windows machines) or ktutil (for linux machines) can be used to generate keytab. A client-side plugin is part of the installation to broker communication between kubectl and the api-server.

Three Fundamental Loops of Authentication Flow

At it's essence, the flow consists of three fundamental loops. . The “first loop” is the user acquiring the “service ticket” from the domain server contingent on successful authentication (we will get into this in a minute). This service ticket has user’s group membership in SID format.

The service ticket is generated for specific SPN (api-server in our case) and is provided to the user based on the user presenting what is known as TGT (ticket granting ticket). The user is able to get TGT based on successfully logging into the windows domain joined machine using their SSO credentials.

The “second loop” is the user presenting the “service ticket” to the api-server when she attempts to connect to the api-server via kubectl. This serves two purposes, to authenticate and authorize.

The “third” and the final loop is the api-server then taking the “service ticket”, unwrapping and unpacking the service ticket using keytab secret stored as K8 secret.

The api-server unpacks the ticket, extracts the group information, and validates against the RBAC (role-based access control) configuration (a.k.a role bindings in K8). In order for the user to execute command via kubectl both authentication and authorization steps need to complete successfully.

For the api-server to be able to unwrap the service ticket using the key stored in the keytab file, the user account and the api-server account doesn't need to share the same domain server, most organizations would keep those separate. If the account are on different domain servers they need to share the same forest and if they are on different forests they need to have trust relationship. For more details on how trust relationships work, refer to this link

Using AD Groups for Authorization

RBAC in K8 is defined in configuration known as “role bindings”. It is a two-step process where a role is defined and then the role is bound to user or group using role bindings. With AD integration users now have the ability to bind roles to AD groups.

When the service ticket is unpacked the group names are compared against the AD groups defined in role binding and access is granted based on the role binding definition.

Details on Few Anticipated Questions about this feature

Q: Do I need continuous connectivity of the container host to my domain server for AD Authentication to work

The container host does not need to have connectivity to the domain server, however, ensure the keytab is updated when the AD password of the api-server is updated.

Q: What is the expected behavior if the password on the AD account of the api-server expires

The service ticket granted to the api-server is cached for about 8-10 hours after which the keytab file (based on prior api-server password) would not be able to decrypt the service ticket and the authentication will fail.

Q: What are the next steps to enable AD Authentication if the api-server password expires

AD admin creates a new password and new keytab is generated. Un-install and re-install AD with the new keytab.

Q: Will AKS-HCI alert me, if api-server AD password is about to expire

AKS-HCI does not have direct line of sight to AD and cannot alert on expiring password.

Q: Can I renew my password before it expires

Yes, you can update the password, refer to the AD SSO set up and installation document for more details.

Ready to deploy refer the deployment guide for the setting up Active Directory enabled SSO

Stay Tuned for more

We are releasing AD integration for the resource / workload clusters, we will follow up integrating the management cluster in later releases including extending AD Authentication to Windows Admin Center (WAC). Stay tuned as we continue to bring new security features to AKS-HCI.

Optimize Existing Databases & Apps with Operational Analytics in Azure SQL - Part 2 | Data Exposed

MarisaBrasile — Thu, 25 Feb 2021 18:43:30 GMT

You don’t necessarily need to change your data models and applications to run operational analytics workloads on Azure SQL. In part two of this three-part series with Silvano Coriani, we will explore Azure SQL capabilities to optimize your databases for mixed workloads on real-time data.

Watch on Data Exposed

Resources:
Get started with Columnstore for real-time operational analytics
Sample performance with Operational Analytics in WideWorldImporters
T-SQL Window Functions: For data analysis and beyond, 2nd Edition
Real-Time Operational Analytics:
Memory-Optimized Tables and Columnstore Index
DML operations and nonclustered columnstore index (NCCI) in SQL Server 2016
Filtered nonclustered columnstore index (NCCI)

View/share our latest episodes on Channel 9 and YouTube!

Help us scale public folder hierarchy in Exchange Online

The_Exchange_Team — Thu, 25 Feb 2021 18:14:41 GMT

Note: Nominations for this program are now closed

We would like to have Exchange Online customers (who would like to participate in a preview program) help us improve the public folder hierarchy synchronization process. The preview program is called Hierarchy-Read-Replica (HRR) Preview.

Before we tell you more details of the HRR Preview program, you may want to read about the current public folder hierarchy synchronization here and then return to this post again.

Welcome back!

As you learned here, currently, the primary PF mailbox is the only source of hierarchy synchronization for all secondary PF mailboxes. This model can cause the following issues:

End-users might not be able to access public folder for hours, if on-boarding of public folders to Exchange online was just completed.
Hierarchy changes might not be synchronized to public folder mailboxes, which in turn might cause end-user issues like not being able to view or perform specific action on a public folder, even though user has required permissions.

As a solution to this problem, we are going in with a more distributed approach to propagate hierarchy changes, using a set of hierarchy-healthy secondary mailboxes and excluding them from serving hierarchy to end-users (which will dedicate them to hierarchy propagation tasks). This design will distribute the load from a single master mailbox to multiple mailboxes, hence improving overall performance.

The benefit you get by participating in the preview program is:

Be the early bird to be benefit from proposed improvements
Communicate directly with the engineering team

To join, you must meet the following eligibility criteria:

Public folders deployed in Exchange Online or public folder migration to Exchange Online nearing completion
Minimum of 100 public folder mailboxes in use

Sounds interesting? You can send us your nomination by filling in this form (link removed because nominations are closed), and we’ll contact you with further details.

Public Folder team

Predicting your next insider risks (UNCOVERING HIDDEN RISKS – Episode 2)

aletheap — Thu, 25 Feb 2021 17:00:00 GMT

Host: Raman Kalyan – Director, Microsoft

Host: Talhah Mir - Principal Program Manager, Microsoft

Guest: Dan Costa – Technical Manager, Carnegie Mellon University

The following conversation is adapted from transcripts of Episode 2 of the Uncovering Hidden Risks podcast. There may be slight edits in order to make this conversation easier for readers to follow along. You can view the full transcripts of this episode at: https://aka.ms/uncoveringhiddenrisks

In this podcast we explore the challenges of addressing insider threats and how organizations can improve their security posture by understanding the conditions and triggers that precede a potentially harmful act. And how technological advances in prevention and detection can help organizations stay safe and steps ahead of threats from trusted insiders.

RAMAN: Hi, I'm Raman Kalyan, I'm with Microsoft 365 Product Marketing Team.

TALHAH: And I'm Talhah Mir, Principal Program Manager on the Security Compliance Team.

RAMAN: We're going to be talking about insider threat challenges and where they come from, how to recognize them, what to do, and today we're talking to Dan Costa.

TALHAH: Dan Costa, the man who's got basically the brainpower of hundreds of organizations that he works with across the world and given a chance to talk to him and distill this down in terms of what are some of the trends and what are some of the processes and procedures you can take to manage this risk. Super excited about this, man. Let's just get right into it.

TALHAH: Dan, you want to just introduce yourself, give a little background on yourself, and Carnegie Mellon and all that stuff?

DAN: Yeah, sure thing. So Dan Costa, I'm the Technical Manager of the CERT National Insider Threat Center here at Carnegie Mellon University Software Engineering Institute. We're a federally funded research and development center solving long term enduring cybersecurity and software engineering challenges on behalf of the DOD. One of the unique things about the Software Engineering Institute is that we are chartered and encouraged to go out and engage with industry as well, solving those long term cybersecurity and software engineering challenges.

And my group leads kind of the SEI's insider threat research. So collecting and analyzing insider incident data to gain an understanding of how insider incidents tend to evolve over time, what vulnerabilities exist within our organizations that enable insiders to carry out their attacks, and what organizations can and should be doing to help better protect, prevent, detect, and respond to insider threats to their critical assets.

RAMAN: That's awesome. Dan, how did you get into this space?

DAN: Yeah, so I've been with the SEI (Software Engineering Institute) since 2011. I came onboard actually to work on the insider threat team as a software engineer, developing some data collection and analysis capabilities for some of our early insider threat vulnerability assessment methodologies. And since 2011, have really gotten a chance to have my hand in nearly every phase of kind of the insider threat mitigation challenges that organizations experience, not only on the government side, but in the industry as well. Since 2011, I've been able to stand up insider threat programs within the government, within industry, help organizations measure their current security posture as it pertains to insider risk, and try to find ways that organizations can collect and aggregate data from disparate sources within their organization that can help them more proactively manage insider risk.

So that's been work, rolling my sleeves up, working with insider threat analysts, spending lots of time with insider threat analysts in the early years, conducting numerous vulnerability assessments and program evaluations, helping organizations explain to their boards and their senior leadership team the scope and severity and the breadth of the insider threat problem, and help folks understand kind of what they already have in place that can form the foundation for an enterprise-wide insider risk management strategy.

I've been very fortunate since 2011 to really have a hand in almost every aspect of insider threat program building, assessment, justifying the need to have an insider threat program in the first place. Obviously since then had a lot to do with actually collecting and analyzing insider incident data, not only what we have access to publicly, but also learning from how we've collected and analyzed data here at the SEI over almost 20 years, and help organizations understand how they can use their own data collection and analysis capabilities to bolster their insider threat programs.

TALHAH: Awesome. Okay. So Dan, one of the things that roam and I talked about quite a bit is my own journey in this space. I mean, I haven't been fortunate to be in the space as long as you have, but I remember when I came into this space a couple of years back, one of the first places I turned to was Carnegie Mellon. And specifically, CERT. And one of the places you pointed us towards was this treasure trove of knowledge that you have, that you then sort of complement with the OSIT Group to really drive awareness and learning, cross-learning across different subject matter experts. So I'd love to get your story of that journey of how OSIT came about, where was it, where is it going now, and what it looks like going forward.

RAMAN: And for those listening, what does OSIT stand for?

DAN: Yeah, so that's a good place to start. It's the Open Source Insider Threat Information Sharing Group. It's a community of interest of insider threat program practitioners in the private sector that are all trying to help their organizations more effectively manage insider risk. And in the group really is kind of a grassroots activity that was started by the first director of the insider threat center here at CERT, Dawn Capelli who I hear you'll be talking to soon. When Dawn left the SEI to go kind of put her research into practice out in industry, she wanted to establish this community of interest.

And this is something that Dawn had been working on even while she was here at CERT, which was "How do I establish kind of a community of people who are all kind of going down the same roads within their organizations? How can we learn from each other? How can we benchmark? How can we share challenges faced early on? And how we're getting past and around and through and over those challenges?" So in the beginning, the OSIT Group was really probably a handful fold or two of folks that were just in the earliest phases of getting insider threat programs off the ground.

And over the past six to seven years, we've really seen the group blossom really by word of mouth only, into an organization that currently boasts over 500 members and representing about 220 organizations in industry, all building out their own insider threat programs. So because of the community building that that was successful early on and finding time to get together and talk shop with folks that were going through the same things within their organizations, we've been able to over the years, continue to grow that.

And then to mine the knowledge and the experiences gained by the folks that are building their own insider threat programs and try to find ways to generalize those conversations into resources like our commonsense guide to mitigating insider threats, a variety of other research projects that we've been able to leverage the expertise insights, and really willingness to experiment and try new things that we're finding with those insider threat program practitioners.

So we're really there kind of just as stewards of the community. It is governed by members of the group at large. We're there to kind of facilitate conversation discussions, make connections, and do what we can to either bring research questions out from those conversations or find opportunities to apply the findings from our research into organizations that are currently working on these insider threat challenges.

RAMAN: When you think about when things first started, the types of challenges that you were facing the beginning to the types of challenges you're facing now with regards to insiders, how have things evolved?

DAN: Yeah, that's a great question.

RAMAN: Is risk different, or what's evolved in your opinion?

DAN: In the beginning. It was, "What do I call this thing? How do I convince the stakeholders within my organization that I need to work closely with for this to be successful? Information security, human, human resources, legal. How do I convince those folks to share their time, share their resources and partner with us to get this off the ground? How do we navigate successfully incorporating legal, privacy, civil liberties protections into our data collection and analysis efforts?" And those were really the challenges that a handful of years ago, folks were just starting to wrap their heads around, how to address particularly in the industry space. A little bit different for government in insider threat program practitioners, because for cleared populations, not only do you have kind of different expectations for privacy, but you've also got a mandate and a requirement here in the United States to have an insider threat program.

So in the absence of a requirement like that for industry, getting that initial buy-in without having to have had your organization experience a harmful or a loss event perpetrated by an insider were some of the earliest challenges. And now that was six, seven years ago. The conversations that are had within that group now are far beyond that. And certainly, as folks come to the group that are in organizations that are just getting insider threat programs off the ground, they're asking the same questions, because there are the natural questions that they ask me to get started. But for the folks that have been at this for several years now and are a little bit further down the road, it's really interesting to see how those conversations have evolved. Lots of organizations now are trying to think about how we most effectively integrate things like a security operations center, a team of insider threat analysts, our data loss prevention capabilities, our fraud detection capabilities.

How do we make sure that those capabilities we have within our organizations are integrated, not duplicative? What's the right way to share information between them? How do we see the insider threat program being a force multiplier for managing the employee employer relationship within the organizations? How can we be more proactive in our response strategies to not necessarily figuring out how to recover stolen intellectual property? But how can we leverage what we have internal to the organization to address the concerning behaviors and activity that might precede that harmful or loss event? So it's really been a rapid and fascinating evolution over the past handful of years in terms of the types of challenges organizations are taking on within their programs.

TALHAH: So I was going to say, although it feels like there's clearly been an evolution in this space, at the same time, it feels like compared to combating external adversary, we're still very much in the infancy of really getting our hand around as an industry, insider risk management. So for those customers that are new, that are coming into this space, that understand that this is a problem, particularly in this day and age of COVID and work from home, what are some of the guidance or tips that you provide? The top three, five things they should worry about to start off on the right footing when it comes to establishing a robust insider risk management program?

DAN: Yeah. Great question, Tahlah. You bring up a good point, which is we've made a progress kind of as a community, particularly on the industry side over the past several years, but we're still seeing organizations still and insider threat programs, more broadly, struggle with an identity crisis. Which is it's hard for organizations to pinpoint exactly what they mean by insider threats, what the insider threats to their critical assets are, what insider threats to their critical assets they're actually going to do something about compared to what they already have in place.

And because the definition of insider threat is so expansive and overarching, our definition really opens up to just the potential for any misuse of an organization's authorized access to critical assets. So that can span theft of intellectual property, that can lead completely leave the cyber realm and branch out into workplace violence, that that can incorporate things like fraud or theft of intellectual property, IT system sabotage, or even things that aren't necessarily conducted with malicious intent. Because the scope of what the insider threat problem or challenge is, we see organizations use that word to refer to a lot of different things from organization to organization.

So because what the scope of the problem is so broad, we see organizations vary greatly in what chunk of this problem they decide to carve off and try to solve. And compounding that even further, even if we scope the program to one or more of those threats scenarios, let's take theft of intellectual property, for example, there are some prerequisite knowledge that has to be kind of understood within the organization to most effectively address that. What intellectual property are we worried about protecting? Who has authorized access to it? What is normal pattern of access and use look like for that intellectual property?

So where we tell organizations to start is know your critical assets. Know and understand what it is that you're trying to protect from insider misuse. And lots of insider threat programs over the years, we've seen make the mistake of trying to answer that question on their own, taking their best guess, their best educated guess within their organization, and not really reaching out to finding the folks that might have ground truth or the best answer for their organization. So trying to do these things in a bubble within an insider threat program is an early recipe for calamity, an early recipe for either duplicating effort, or not finding the best right answers for your organization.

And also if you can't kind of articulate the scope of what it is that you're trying to protect, you're going to have a really hard time measuring whether or not you've actually been successful at doing the things that you were trying to do. So that's where we always tell folks to start. We have a common sense guide for mitigating insider threats. We're on the sixth edition currently, we're working on the seventh edition now. And there's 21 best practices in there currently that are the foundational things for building an insider threat program.

The first, and they're ordered intentionally by importance. The first is know your critical assets. Know what it is that you're trying to protect. And once you're there, work towards developing a formal insider threat program that engages all of the necessary stakeholders across the organization that can help you understand where your critical assets are, how they're currently being protected, where the gaps are, and how the organization is interested in investing to buy down risk to those critical assets in inky areas.

TALHAH: I love that. I love it. And I know that's one of the educations that I certainly got, one of the things that I learned working in OSIT. And the way we frame that is a lot of companies make this mistake. We certainly tried that approach, which is try to boil the ocean. And it doesn't work right? Learned the hard way. You got to be able to compartmentalize your problem space and say, "Out of this ocean of risks that you might have in your organization, what are the most critical ones? How do you prioritize that?" And once you prioritize that, the problem actually becomes a lot more tractable. Then you can kind of divide and conquer in terms of your prioritized approaches are. In a lot of ways, this is risk management 101, if you think about it. It's like, identify your assets, identify your risks, and then put the processes and programs in place to go tackle it. So, yeah, it makes a ton of sense.

DAN: Yeah. So the risk management thing is really interesting because I think it's either best practice three or four, is make sure that insider threats are being addressed in organization-wide enterprise risk assessments. So if it's something that we've been saying for a really long time, and intuitively it makes sense, but we were in parallel with kind of insider threat program maturity. We're seeing organizations start to get more serious about managing risks across the enterprise in a more structured and in a more data-driven way, in a way that engages the folks that own the business processes.

So it's been fascinating. So to watch the two activities come up in parallel when, when a lot of what the insider threat programs are having to do really depends on the organization having those enterprise risk management answers already established. So where we're struggling is when you go to talk to the folks that should know these answers, they don't have the right answers yet. So we're seeing organizations in parallel have to work these two activities, or try to find a way to get them to sync up and align better. And it's more pressing for insider threats as opposed to just broader cyber risk for lots of organizations, because our insiders are the ones that know where our crown jewels are.

They're the ones that know the things that might not necessarily have externally the most value or the most tangible dollar value associated with impacts, but they know how and where to hurt organizations from an operational perspective. So when we're trying to figure out how bad one of these potential threats scenarios would be if it happened within the organization, those calculations and figuring that out with the right answer is for those scenarios can be a lot harder for insider threat programs because we're having to consider the second and third order impacts associated with something like IT system sabotage or something like fraud.

So it's been really interesting to watch those two bodies of research and practice grow in parallel. And a little bit of inside baseball, but those two bodies of research at the Software Engineering Institute are housed within the same part of CERT. So it makes intuitive sense to have those things laid out in terms of parallel bodies of research. And what we're seeing is advances in cyber risk management and enterprise risk management more broadly from a data collection and analysis perspective, really translating over nicely into insider threat program operations.

RAMAN: Wow, that's great. One thing as you were talking, Dan, that occurred to me is that there's a lot of, not a lot. But a fair number of the insider challenges and issues actually stem from accidental behavior, people being distracted, which of course, with a work from home environment probably gets expanded even more so because there's so many distractions going on. How do companies think about that and how do you advise organizations? Because now as we've spoken to industry analysts and even customers, they're thinking about insider instance less about the threats in general, but risks. So it encompasses both the malicious and the inadvertent side. And how do you think about that? Or how do you advise organizations in that area?

DAN: Yeah, so we really buttered our bread on malicious insiders early on here at the Software Engineering Institute. About 2012, 2013, we conducted a foundational study on unintentional insider threats, where someone who wasn't necessarily motivated to cause harm to the organization, either through error or through being taken advantage of by an external threat actor, had their authorized access to the organization's critical assets misused. And a lot of what you'll find in that foundational study is when the motivation and intents differ, there are different response options that become what the organization can and should be pursuing. So, once we figure out the intent associated with kind of some concerning behavior actor activity that we're seeing, or even a harmful event once it's occurred, we can then figure out the most appropriate strategies to take in terms of response options.

Is this someone who needs free training? Have we misconfigured access control, like this person shouldn't have even had authorized access to that asset to begin with in the first place? How do we better educate the workforce about their individual responsibilities to protect the authorized access to the critical assets that they've been given by the nature of their employment with the organization? So, it requires kind of a broadening of the aperture of what you consider to be kind of response options for insider threat incidents. And almost even a re characterization of how you declare an insider incident in the first place.

So it's a worthwhile undertaking for organizations because the loss to your organization doesn't really care about whether or not there was malicious intent or not. The bad thing happened, and it caused harm to the organization. So, what we need to do is understand the impacts associated with malicious versus unintentional insider threats are kind of relatively equivalent and at high levels. And from there, broaden our aperture and understanding in terms of what response options the organization needs to take. Once we've been able to infer either we think that there's some malicious intent here or there's there was no malicious intent here. And that intent inference, that's where we need our human capital folks. That's where we need the contextual data that lives outside of the purview of our technical tools and capabilities. And our friends in the social and behavioral sciences to be all a part of our insider threat program teams and our inside our risk mitigation efforts to help us understand kind of the human aspects and elements of what we're seeing on the technical side of the house.

That was one of the earliest findings that came out of our insider threat research here at the SEI was take a what we call a sociotechnical approach to insider threat mitigation. This is not just a bits and bytes problem. This is a people problem. We have to be able to collect and analyze data by using automated tools, to just deal with the scale and scope of this problem for larger organizations. But at the end of the day, we're talking about people that we brought into the organization, granted a position of trust to. We hopefully screened them on their way in, and they were good folks when they started here and they've been experiencing things in their lives that are causing them to kind of go down a path, a path that might potentially lead them to cause harm to the organization.

So early, early on finding those proactive sociotechnical approaches to the problem was a hallmark of our research. And that was amplified as we and other folks started to kind of broaden the aperture to consider unintentional insider threats as a part of the scope of their insider threat programs and insider risk management strategies.

RAMAN: So the context is key here, right? And one of the things that of touched on is the sentiment. They started out as a good individual, but maybe they got distracted. Maybe they're not happy now, or something's happening and that's causing them to do something that is causing risk to the organization. The other thing you brought up earlier, which I wanted to kind of touch on was the sense of the preemptive nature, because one of the things we have always talked about is once somebody has downloaded sensitive content from a repository onto their desktop, and then copy that to a USB, you're already like 80% out of the door. What were they doing prior to that? How could we identify that they may be going down this path? How do you all think about that? Because that's one of the questions that we continually get from customers.

DAN: Yeah. So early on, when we were collecting and analyzing insider incident data to form the foundation of, of our understanding of how different types of insider incidents tend to evolve over time, we were looking at the incidents really from the beginning of the insider's relationship with the organization, basically through the final resolution of the incident itself. And what we found was for almost every case that we've collected and analyzed was the presence of concerning behaviors and activity that preceded the harmful act associated with the incident, that if the organization would have either known about prior or taken a different response to, might have taken the insider down a different path that did not cause harm to the organization.

So in those different types of insider incidents that we've studied, fraud, theft of intellectual property, and IT systems sabotage, we've developed models that we've mined from the incidents that we've collected and analyze for those particular incident types. And those models capture not only how the insider attempted to evade detection or how they actually caused harm, but what were their personal predispositions and what stressors were they experiencing when combined with their personal predispositions that caused them to exhibit some concerning behaviors, detectable things, either from a technical perspective or from a behavioral perspective that the organization responded to in some maladaptive way?

Either by paying no attention to it, either because they didn't think that that was something that could lead someone down the path of causing harm, or they didn't have a detection capability in place. They simply didn't know about it. Or they zagged when they should've zigged. A good example of this is in our IT sabotage model where we've found kind of a pattern of disgruntled insiders being maladaptively responded to by their organizations, through things like sanctions, being demoted, being pulled off of important projects, having their access revoked. And those sanctions, those responses by the organization led, the insider to become even more disgruntled.

And you see patterns of this increased disgruntlement, another sanction, the insider gets more and more disgruntled, and at a certain point reaches the tipping point and decides that now it's time to strike back. Motivated by revenge against the organization, or they decide to leave the organization. Now they're going to take some intellectual property with them to benefit a competitor organization. So it's in those kind of feedback loops between concerning behaviors in maladaptive organizational responses where we found opportunities for organizations to improve their security posture as it pertains to insider risk, by gaining a better understanding of kind of those conditions that precede the harmful act and considering a much broader array of response options that might not necessarily lead someone to be motivated to cause harm, but might let them feel like they are supported by the organization, that they understand their relationship from a contractual perspective to the intellectual property that they're creating, and really a myriad of other different nuances for those different types.

So that's, again, something early on that we've established. It's these patterns of concerning behaviors and maladaptive organizational responses that exacerbate the threats and lead insiders causing harm to the organization in finding those feedback loops and trying to propose different strategies and then find ways to measure the effectiveness of those alternative strategies.

To learn more about this episode of the Uncovering Hidden Risks podcast, visit https://aka.ms/uncoveringhiddenrisks.

For more on Microsoft Compliance and Risk Management solutions, click here.

To follow Microsoft’s Insider Risk blog, click here.

To subscribe to the Microsoft Security YouTube channel, click here.

Follow Microsoft Security on Twitter and LinkedIn.

Keep in touch with Raman on LinkedIn.

Keep in touch with Talhah on LinkedIn.

Wipro streamlines guest-user access with Azure AD External Identities - Microsoft

Sue Bohn — Fri, 26 Feb 2021 21:54:13 GMT

Hello! In today’s “Voice of the Partner” blog, Prakash Narayanamoorthy, Principal Microsoft Security Architect for Wipro, explains how his company transformed their identity and access management (IAM) offer while delivering an elevated level of governance and secure access across external identities. Prakash and his team streamlined external access and strengthened security for their customers—all with a new unified Microsoft solution: Azure Active Directory External Identities.

Streamlining IAM for today’s business

by Prakash Narayanamoorthy, Principal Microsoft Security Architect for Wipro

Wipro Limited is a leading global information technology, consulting, and business process services company. We harness the power of cognitive computing, hyper-automation, robotics, cloud, analytics, and emerging technologies to help our clients adapt to the digital world and make them successful. A company recognized globally for its comprehensive portfolio of services, strong commitment to sustainability, and good corporate citizenship, we have over 180,000 dedicated employees serving clients across six continents. With a staff of more than 8,000 security professionals, Wipro has been helping global customers transform their identity and access management (IAM) challenges for more than 20 years.

With most of our customers already in, or migrating to, single or multi-cloud environments, we want to enable them to connect securely from anywhere, and on any device. On-premises IAM solutions often aren’t scalable and can’t address the digital-transformation initiatives now embraced by organizations worldwide. We recognized that today’s evolving threat landscape demands a next-gen IAM solution to keep up with business and security requirements—and we wanted to provide that solution powered by Microsoft Identity.

Figure 1: Today’s B2B ecosystem

A unified IAM solution

In my role as Principal Microsoft Security Architect, I own the Azure and Microsoft 365 security and compliance architecture and consulting charter, as well as go-to-market (GTM) strategies. As part of our Microsoft IAM offerings, we provide end-to-end solutions and services for our customers, who often are suffering from complex, inefficient onboarding and access-governance processes. In many cases, clients were leveraging existing IAM solutions with manual intervention. These legacy approaches don’t provide the agility and visibility across external identities that today’s organizations require.

My team was looking for a framework that would quickly adapt the Azure Active Directory (Azure AD) platform for servicing customers’ partner and guest-user identities in one solution. We wanted something that could provide seamless and secure access for our customers’ external users. In seeking to address their pain points—onboarding, access, identity governance, and secure collaboration—we found the perfect solution in Azure AD External Identities.

By leveraging Microsoft Graph APIs to automate Azure AD External Identities functionalities, we’re able to mitigate our customers’ key challenges around user registration and onboarding. Our application onboarding helps to onboard external-facing single sign-on (SSO) apps quickly and seamlessly.

Figure 2: Azure AD External Identities architecture

The Azure AD External Identities difference

In our customers’ previous partner-user and guest-user identity ecosystem, there were multiple legacy SSO solutions used to grant access to applications. Some user identities were stored on-premises, posing potential security risks. Onboarding for external users was time consuming due to the complexity and costs of managing multiple disconnected identity systems. By unifying access with Azure AD External Identities, we’ve reduced complexity and increased agility for our customers—providing them with easy onboarding and secure access for all their external identities.

Wipro now provides an end-to-end solution for our customers’ IAM challenges. With Azure AD External Identities, we’re able to make the external application-onboarding process seamless. Even better, customers can allow guest users access to Microsoft Teams, and through Azure AD they can implement strict controls on how teams are named and classified, as well as who can create them, and whether guests can be added as team members—all with improved overall governance and security.

With Azure AD, we’ve seen a plethora of functionalities stand out as clear differentiators. For example: risk-based authorization via Azure AD Conditional Access, passwordless sign-in, self-service features, and easy options for onboarding external identities—along with strong identity governance through complete access packages and easy recertification. We work closely with the Microsoft engineering team, and we always get timely support to help solve our customers’ IAM challenges. As Sheetal Mehta, Sr. Vice President and Group CISO, Wipro Ltd. explains, “Azure AD External Identities helped us to redefine our external users’ lifecycle management and enterprise applications access, providing secure collaboration and compliance.”

Real results

With the Azure AD External Identities approach, we’ve simplified and streamlined onboarding processes for our customers’ external users. There’s easy integration with network delivery controllers; meaning, on-premises apps are secured against external identities. Having Conditional Access with Azure AD Identity Protection helps minimize risks during sign-in and throughout the entire session. With the one-time password (OTP) sign-in feature, we’ve been able to avoid storing external users’ passwords, which improves security controls. Some benefits our customers have experienced include:

Simplified on- and off-boarding processes
Enabled seamless, secure access to enterprise applications
Improved overall security, compliance and risk reduction
Reduced effort required to onboard external-facing applications with SSO
Created a centralized IAM platform for reduced costs
Reduced external identity risks
Improved customer experience through an intuitive UI/UX
Reduced administrative overhead

Overall, Azure AD External Identities has enabled Wipro to provide our customers with a seamless, integrated security approach, improving their enterprise security and compliance posture in one solution. Even better, Azure AD External Identities is now free to organizations with at least 50K users.

Learn more

I hope Wipro’s account of adopting Azure AD External Identities to streamline IAM for their customers provides you with ideas for your organization. To learn more about our customers’ experiences, take a look at the other stories in the “Voice of the Partner” series.

Learn more about Microsoft identity:

Related Articles: (Optional) Add 1-2 article titles & links that are related to your blog post
Return to the Azure Active Directory Identity blog home
Join the conversation on Twitter and LinkedIn
Share product suggestions on the Azure Feedback Forum

Bring your ideas to life with new capabilities in Visio for the web

AakankshaRaj — Thu, 25 Feb 2021 16:39:01 GMT

At Visio, we are constantly working on new features to enhance the Visio for the web experience. In this blog, we provide a step-by-step guide on how to design a flowchart leveraging some of the latest capabilities in Visio for the web. Learn how to create and coauthor professional-looking flowcharts for effective decision making and process execution.

Let’s start with the home page—which, if you’re new to Visio, can be accessed at visio.office.com. Visio for the web provides a variety of flowchart and diagram templates so you can get started fast. Choose from a variety of templates for basic and cross-functional flowcharts and start creating your desired flowchart in a single click. It’s that simple!

Create data-driven diagrams directly in Excel

Alternatively, you can use the Visio Data Visualizer add-in to create your flowchart in Excel. To do this, create a new Excel spreadsheet or insert a new worksheet in an existing file and follow the steps below:

Under the Insert tab, click on Get Add-ins.
Search for “Visio Data Visualizer” and click on Add. Once you’ve completed this step, a dedicated button will appear in the Excel ribbon.
Click on the dedicated button and select from any of the available basic or cross-functional flowchart samples to get started. created along with the underlying data presented in a tabular format in the Excel sheet.

Update the data in the Excel table and click Refresh to see your changes reflected directly in the flowchart. If you have a Visio Plan 1 or Visio Plan 2 license, you can do even more with your flowchart—like add text, apply a design theme, or resize and reposition the shapes in your flowchart—using either Visio desktop or Visio for the web. If you don’t already have a license, we recommend Visio Plan 1 for basic diagram creation and editing and Visio Plan 2 if you need advanced features, like two-way sync and data graphics. You can compare plans to decide which option is best for you or try Visio Plan 2 free for 30 days.

To edit your flowchart in Visio for the web, for example, click Edit in the add-in menu bar. Then, click on Design and select one of the available Themes from the drop-down. You can also choose from the various Theme Colors.

Insert pictures into your Visio diagram

To further illustrate and personalize your flowchart, click on the recently added Stock Images option available from the Insert tab. Here, you can search through a variety of images. Select the image that is most appropriate for your flowchart and click Insert. The selected image can also be resized and reoriented to serve as a background for your flowchart.

Automatically resize the canvas to fit the shapes on the page

If you need to resize the canvas to fit your flowchart, click on the Size drop-down under the Design tab and select Fit to Drawing. The canvas will automatically resize to the outermost content borders, leaving some space for margins on all sides, but removing unnecessary blank space.

Need to embed your flowchart in a presentation or document?

Click File > Save As > Download as Image. Here, you can select the type of image file you want and desired resolution. Click on Download to save the image to your local machine and easily insert it into your files.

Share your diagram with others
Alternatively, you can share your Visio diagram as a link or via email by clicking the Share button in the top right corner. Choose from the various link settings to restrict the audience and allow/prohibit editing access to your file.

Keep visiting Tech Community and follow us on Twitter to stay current on the latest releases. We also hope you’ll submit ideas for features through our UserVoice site. Lastly, if you have specific questions or comments about any of the abovementioned capabilities, please send a note to tellvisio@microsoft.com.

Azure Marketplace new offers – Volume 117

Christine_Alford — Thu, 25 Feb 2021 16:25:20 GMT

We continue to expand the Azure Marketplace ecosystem. For this volume, 85 new offers successfully met the onboarding criteria and went live. See details of the new offers below:

Applications
	16-Bit Legacy Applications in Azure: APPtechnology's Microsoft Azure-hosted or local containerization solution allows legacy applications with compatibility issues to be deployed to users on 64-bit Windows 10 devices. Migrate all your users to Windows 10 while retaining the secure use of existing business apps.
	ANSYS Cloud: The Ansys Cloud service offers on-demand computing resources optimized for Ansys simulation applications running in a secure cloud environment hosted on Microsoft Azure. Run full-featured Ansys applications on cloud-based workstations accessible via a web browser.
	Apache Web Server with CentOS 7.9: Cognosys offers this pre-configured image of Apache HTTP Server 2.4.6 with CentOS 7.9. Launched in 1995, Apache HTTP Server is an open-source, cross-platform web server.
	Apache Web Server with Red Hat 8: Cognosys offers this pre-configured image of Apache HTTP Server 2.4.37 with Red Hat 8.2. Launched in 1995, Apache HTTP Server is an open-source, cross-platform web server.
	Appointment Management System: PetalMD's solution digitizes the planning of medical resources and captures patient demand by connecting to your appointment scheduling platforms. The solution helps reduce waiting periods, increase patient satisfaction, and standardize data access and performance.
	Armorblox Email Protection: Powered by natural-language understanding, Armorblox is an API-based cloud office security platform that helps protect Microsoft 365 and Exchange users from targeted phishing attacks and sensitive data loss over email.
	astorTime Basic (Temperature and Attendance): astorTime Basic provides a workforce attendance and temperature management system using an integrated handheld device, making it suitable for mobile use in outdoor environments.
	BlockAPT SOAR Platform: The BlockAPT SOAR platform combines threat intelligence, endpoint security, vulnerability management, device monitoring, and incident response management in one platform to help businesses significantly decrease cybersecurity risks.
	Bosch Connected Building Services: Bosch Connected Building Services connect equipment and building infrastructure, convert data into a uniform format, and create a digital map of the facility that serves to help you assess its current and historic condition.
	Builder Studio: Powered by Microsoft Azure, the Builder Studio platform industrializes software development using Lego-like reusable features, an AI-powered assembly line, and a curated network of experts to customize the reusable features.
	cCloud ai: The cPacket cCloud Visibility Suite provides a range of packet-data-based services to deliver always-on network intelligence for your Microsoft Azure environment. Features include filtering, traffic aggregation, and load balancing.
	CentOS 7.9: Cloud Maven Solutions offers this pre-configured, ready-to-use image of CentOS 7.9. CentOS is a popular operating system running in hosted environments, and CentOS 7.9 includes major changes that pertain to booting up and managing the system.
	CentOS 7.9 (Free): Cloud Maven Solutions offers this free, pre-configured, and ready-to-use image of CentOS 7.9. CentOS is a popular operating system running in hosted environments, and CentOS 7.9 includes major changes that pertain to booting up and managing the system.
	CentOS 7.9 (Free): Cognosys offers this free pre-configured image of CentOS Linux release 7.9 on Microsoft Azure. CentOS 7.9 is a popular operating system running in hosted cloud environments.
	CentOS 8.3: ProComputers.com offers this Minimal CentOS 8.3 image with an auto-extending root file system and cloud-init included. CentOS 8.3 is mainly used as a common base system on top of which other appliances can be built and tested. This image comes with Security-Enhanced Linux enabled.
	CentOS Stream: ProComputers.com offers this Minimal CentOS 8 Stream image with an auto-extending root file system and cloud-init included. CentOS Stream is an upstream development platform that enables you to quickly and easily see what’s coming next in Red Hat Enterprise Linux.
	Cerri Enterprise project and task Platform: Crafted to meet global enterprise needs ranging from simple to complex project collaboration functionality, Cerri's platform of interconnected apps helps you meet the demands of today’s enterprises and the challenges of project management and team collaboration.
	Denodo Platform 8.0 (Annual): Denodo provides real-time integrated views combining all your Microsoft Azure data and SaaS and on-premises databases and applications. Quickly create a logical data warehouse combining cloud and on-premises databases, data lakes, and applications.
	DocHawk: DockHawk for Microsoft Teams enables you to quickly associate employees with the certifications that apply to them. Manage expiration intervals and send email reminders to employees detailing upcoming or expired certifications.
	Docker CE with CentOS 7.9: Cognosys offers this pre-configured image of Docker Community Edition with CentOS 7.9. Docker CE is ideal for developers and small teams looking to get started with Docker and experimenting with container-based apps.
	Dragon Professional Anywhere: Nuance Dragon Professional Anywhere delivers cloud-hosted speech recognition for the enterprise and public sector, empowering busy professionals to use their voices naturally to create detailed, accurate documentation.
	Earth Knowledge Insight Services: Earth Knowledge Insight Services give context and insight to business decision-making, looking far beyond climate change alone. The solution incorporates more than 140 Global Climate Indicators to help you isolate and mitigate key risk factors.
	EcoStruxure Facility Expert: EcoStruxure Facility Expert is IoT-based software that delivers operational and energy efficiency while ensuring business continuity and occupants' comfort in individual facilities or across a portfolio of buildings.
	EcoStruxure Traceability Advisor: EcoStruxure Traceability Advisor provides end-to-end traceability and transparency across the supply chain for the consumer packaged goods market. Gain full visibility into your supply chain by capturing and analyzing history, location, and supplier data from different sources.
	Haproxy With CentOS 7.9: Cognosys offers this pre-configured image of Haproxy with CentOS 7.9. Haproxy is open-source software that provides a high availability load balancer and proxy server for TCP-based and HTTP-based applications, spreading requests across multiple servers.
	Haproxy With Red Hat 8: Cognosys offers this pre-configured image of Haproxy with Red Hat 8. Haproxy is open-source software that provides a high availability load balancer and proxy server for TCP-based and HTTP-based applications, spreading requests across multiple servers.
	Infinigent HCM: Available as a SaaS, hosted, or on-premises solution, Infinigent Software Solutions' enterprise-ready human capital management (HCM) platform covers all your workforce management processes, including resourcing, time and attendance, payroll, benefits, and performance management.
	Infosys Cloud Infrastructure Validation: The Infosys Cloud Infrastructure Validation (ICIV) platform helps conduct Microsoft Azure cloud-readiness and non-functional validation for an Azure cloud platform using open-source technology and pre-configured templates.
	InMate Needs Assessment System: Built using Microsoft Dynamics 365 and the Microsoft Power Platform, InMate Needs Assessment System helps evaluate substance abuse, mental illness, and other assessment processes among prison inmates, then determines the appropriate welfare programs.
	Intelligent Text Extractor: A computer-vision-based OCR solution, Intelligent Text Extractor provides accurate text extraction on printed, hand-printed, and handwritten text. It supports multiple languages, auto-classification of unfamiliar document templates, and validation for text types and formats.
	Intelligent Trade Promotion Optimization: Pactera Technologies' enterprise-scale, AI-powered Intelligent Trade Promotion Management Platform helps you design accurate, automated trade promotion plans with a high ROI. Predict sales along with the effects of cannibalization, customer switching, stockpiling, and more.
	Investigative Case Management: Based on Microsoft Dynamics 365 and the Microsoft Power Platform, MERP Systems' Investigative Case Management system addresses digging and fire-related incidents. Facilitate time-based reporting and the efficient management of complaints from receipt to resolution.
	InvestSuite - Investtech-as-a-Service: InvestSuite is a B2B SaaS solution that helps banks, brokers, wealth managers, pension funds, and other financial institutions serve their clients better via InvestSuite's Robo Advisor, StoryTeller, Self Investor, and Portfolio Optimizer modules.
	Jenkins with CentOS 7.9: Cognosys offers this pre-configured image of Jenkins with CentOS 7.9. Jenkins is an open-source tool written in Java that provides continuous integration services for software development.
	Jenkins with Red Hat 8: Cognosys offers this pre-configured image of Jenkins 2.249.2 with Red Hat 8.2. Jenkins is an open-source tool written in Java that provides continuous integration services for software development.
	JKIT Smart Factory (MVP1): John Keells Information Technology (JKIT) Smart Factory (MVP1) is an IoT-enabled asset and environment monitoring platform that can be used across many industry verticals. Get live updates on a wide spectrum of measurements and notify responsible parties to act accordingly.
	JKIT Smart Office (MVP1): John Keells Information Technology (JKIT) Smart Office (MVP1) is a mobile app designed to enhance employee workflows and processes. Built on Microsoft Azure, it enables anyone with "requestor" access to create and submit various types of requests.
	JKIT Smart Retail (MVP1): Smart Retail (MVP1) is a multifaceted mobile app designed to enhance customer experience. From purchase frequencies to brand preferences, Smart Retail captures a range of critical insights to help you deliver personalized shopping experiences.
	LAMP with CentOS 7.9 MariaDB 10: Cognosys offers this ready-to-run LAMP stack on CentOS 7.9 with MariaDB 10.5.8. LAMP is an archetypal model of web service solution stacks, named as an acronym of its original components: Linux OS, Apache HTTP Server, MySQL RDBMS, and the PHP programming language.
	LAMP with Red Hat 8: Cognosys offers this ready-to-run LAMP stack on Red Hat 8.3 with MariaDB 10.3.27. LAMP is an archetypal model of web service solution stacks, named as an acronym of its original components: Linux OS, Apache HTTP Server, MySQL RDBMS, and the PHP programming language.
	Learning-Teaching-Evaluation-Monitoring Ecosystem: Secure Learning's integrated platform for blended teaching, personalized learning, and assessment includes a web interface for administration, a teacher enablement app, the @Home Learner app, and more to drive the digital transformation of K-12 education.
	LMS powered by Moodle with CentOS 7.9: This pre-configured image from Cognosys contains LMS powered by Moodle 3.9.1 with CentOS 7.9. LMS powered by Moodle is used for blended learning, distance education, flipped classroom, and other e-learning projects to help educators and trainers achieve learning goals.
	Logicalis - Eugenio: Serving as a bridge between IoT data and your business layer from device to the cloud, the EUGENIO IoT platform helps developers create IoT solutions based on a secure, reliable, and scalable end-to-end infrastructure.
	Managed Azure Sentinel through Tiberium CDC: Powered by Azure Sentinel, the Tiberium Cyber Defence Centre is a managed service that delivers cloud-native cyber detection and response outcomes for organizations looking to measurably improve their cybersecurity posture.
	MariaDB 10 with CentOS 7.9: Cognosys offers this pre-configured image of MariaDB 10.5.8 with CentOS 7.9. MariaDB Server is a popular open-source relational database created by the original developers of MySQL.
	MariaDB 10 with Red Hat 8: Cognosys offers this pre-configured image of MariaDB 10.3.17 with Red Hat 8. MariaDB Server is a popular open-source relational database created by the original developers of MySQL.
	Meat Value Chain Optimization with AI: With its disruptive AI technology, Völur provides the meat industry new real-time insights, production plans, what-if simulations, and recommendations on the most optimal cutting and processing solutions. Make your business more sustainable and more profitable with Völur.
	myData Connector: Available only in Greek, Data Communication's myData Connector is a SaaS solution and middleware tool between your organization's enterprise resource planning system and the myData platform.
	MySQL 5.7 with CentOS 7.9: Cognosys offers this pre-configured image of MySQL 5.7.32 with CentOS 7.9. MySQL is a popular open-source relational SQL database management system for developing web-based software applications.
	Nginx With CentOS 7.9: Cognosys offers this pre-configured image of Nginx 1.16.1 with CentOS 7.9. NGINX is an all-in-one API gateway, cache, load balancer, web application firewall (WAF), and web server.
	Nuance CDE One: Nuance CDE One enables clinical documentation improvement teams to engage collaboratively with physicians, resulting in better-quality documentation that is more reflective of each patient's acuity and level of care.
	Nuance Patient Engagement: Designed to deliver better patient experiences with AI‑powered, omni‑channel technology, Nuance Patient Engagement brings world-class consumer engagement to healthcare and advances the quality of service that organizations deliver across the patient journey.
	PeterConnects Receptionist: PeterConnects Receptionist is a comprehensive telephone operator’s console for Microsoft Teams, providing a range of smart features for fast and easy call handling and efficient call distribution for organizations of all sizes.
	Photone4: Preparing Your Workplace for COVID-19: Photone4 is a temperature, social distancing, and personal protective equipment (PPE) detection solution powered by AI. It provides detailed insights through real-time alerts and reports, enabling faster decisions and helping you comply with OSHA regulations in the workplace.
	Production Quality Dashboard for Manufacturing: This Power BI dashboard enables manufacturing companies to leverage analytics and data visualization tools to make smart predictions, optimize product mix, reduce cycle times, and improve quality.
	Questback Leadership: Future-proof your company by developing your greatest assets -- your leaders -- with Questback Leadership, a next-generation leadership development solution powered by Microsoft Azure.
	SchoolWise for Microsoft Teams: SchoolWise for Microsoft Teams combines assessment, academic tracking, learner support, and curriculum planning into one place in Teams. Gain full visibility into teaching and learning to improve student learning outcomes in your school.
	Sitecore Content Hub: Sitecore Content Hub is a unified, highly configurable SaaS solution for planning, organizing, and distributing sales and marketing content across your internal organization and external marketing channels.
	Smartface Enterprise App Store: The Smartface Enterprise App Store module provides an in-house, enterprise-specific app store with a customizable mobile storefront to provide access to your business's apps.
	SmartMessage Marketing and Digital Communication: SmartMessage is an enterprise-ready, omnichannel marketing communication platform that covers a comprehensive set of solutions, including features that support the creation, automation, execution, and reporting of email, SMS, push, and social media campaigns.
	SmartTAP 360° Live: AudioCodes SmartTAP 360° Live is an enterprise compliance recording solution for Microsoft Teams. Record all online voice, video, and IM interactions for AI-powered analysis and to meet regulatory compliance requirements.
	Synergies: Synergies' banking platform connects legacy systems to new technology, enabling organizations to leverage core technologies, access an open banking ecosystem, integrate systems, and rapidly develop products to open new revenue streams.
	The Programmatic Platform: The Programmatic Platform provides marketers with a comprehensive management toolkit to design, optimize, and deliver campaigns via a step-by-step process, including an interactive brief, dynamic media planning, automated pilot setup, and a real-time reporting dashboard.
	Thycotic Privilege Manager: Thycotic Privilege Manager simplifies the implementation of a comprehensive endpoint privilege management strategy that includes a principle of least privilege (PoLP) security posture and application control. Mitigate security threats without disrupting business users and IT teams.
	TomTom Traffic Stats: TomTom Traffic Stats provides historical road traffic speeds and travel times in more than 75 countries, delivering average and median speeds, speed limits, street names, and road class, along with sample sizes for confidence in results.
Consulting services
	10-Week CAF Ready Assessment: Designed to accelerate your journey to Microsoft Azure, Alithya’s Cloud Adoption Framework (CAF) Ready Assessment includes an Azure setup guide with recommendations for your cloud resources and a best-practices presentation.
	Application Modernization Advisory 4-Week Assessment: SoftwareONE’s Application Modernization Advisory helps you define and design an ideal approach to modernize your applications using Microsoft Azure services. Benefit from simple cost management, extended functions, and faster provisioning of your applications.
	Azure Analytics Workshop: 4-Hour Workshop: DataArt's Microsoft Azure data experts will provide a comprehensive understanding of end-to-end analytics (from data collection to BI and forecasting), how to use Azure Synapse Analytics, and the benefits of implementing an analytics culture in your organization.
	Cloud Services for Azure - Lighthouse: Fujitsu’s Cloud Services for Azure is an end-to-end service that delivers digital transformation to Microsoft Azure. With Azure Lighthouse, you maintain control over tenant access while enabling Fujitsu to deliver a holistic managed service.
	CLOUDETEERs Golden Tenant Setup and Management: Each compliant Microsoft Azure Active Directory tenant setup and managed by CLOUDETEER includes compliance and deployment pipelines, in-depth dashboards, an open-source monitoring stack, a private Git repository where tenant configurations are stored as code, and more.
	Data and Infrastructure Migration: 3-Week Assessment: In this three-week assessment, Waterleaf Digital will help you optimize your current application and server workloads while providing insights on the business and technology benefits of moving additional workloads to Microsoft Azure.
	Data Driven Company Assessment - 4 Weeks: Sopra Steria Norway will help you establish a data strategy and roadmap to facilitate data-driven decision-making in your organization. Take the first step toward becoming a data-driven company and learn how artificial intelligence can deliver business benefits.
	GOTOP LabService: Microsoft Azure Lab Services enable instructors to quickly set up labs for classroom use and specify the number and type of VMs required. Available in Traditional Chinese, GOTOP Information's service provides technical assistance to help you set up Azure Lab Services.
	Install SAP1 on Azure: 4-Week implementation: Looking to install SAP Business One on Microsoft Azure for your organization? OfficeTechHub's four-week implementation includes a full installation on Azure, backup and disaster recovery configuration, and more.
	IoT-Automated-Pack-Training Workshop: 9 Hours: Available only in Traditional Chinese, Weblink International's IoT workshop helps educators understand IoT architecture, recognize different sensor signals, and use Microsoft Power Automate to transfer IoT data to Azure SQL Database for in-depth Power BI reports.
	MOQdigital Managed Sentinel: MOQdigital provides a managed security service using Microsoft Azure Sentinel. MOQdigital can help set up Azure Sentinel in your organization’s environment, including offering Azure Sentinel as a service for ongoing incident management, response, and investigation.
	NLP (AI) in Action: 2-Week Proof of Concept: Ilitia Technologies will deliver a proof of concept that solves your business use case by applying artificial intelligence/natural language processing services on Microsoft Azure. This offer is available only in Spanish.
	NNIT Managed Foundation Services: Using Microsoft Azure Lighthouse, NNIT will maintain, monitor, and advise on your Azure workloads. Benefit from a platform that scales automatically, keeps administrative overhead to a minimum, and facilitates the healthy operation of your workloads.
	One-Day AI Assessment by Cognitive Machines: Developing cognitive products leveraging recent advancements in AI can be daunting. In this free assessment, Cognitive Machines' Microsoft-certified data scientists will identify AI-driven data transformation opportunities and define an implementation plan for your business.
	POC - Windows Virtual Desktop (5 Days): In this proof of concept, Inetum will implement a Windows Virtual Desktop environment enabling you to validate its ability to meet your business needs, such as telecommuting or app consumption that requires 3D graphics rendering. This offer is available only in French.
	Smart Cloud Infrastructure: 10-Week Implementation: No matter what stage your organization's data strategy is in, MostWare's smart cloud infrastructure implementation helps you achieve your data goals and realize optimal data maturity. This offer is available only in Dutch.
	Synapse Analytics One-Day Proof of Concept: Microsoft Azure Synapse Analytics provides a variety of tools that work well together under one interface. Available only in German, this proof of concept from Ceteris will help you implement data-gathering concepts aligned with the practical abilities of Azure Synapse Analytics.
	Virtual Desktop as a Service: MITIBI will provide fast deployment and configuration of Windows Virtual Desktop for your organization. Give your employees the freedom to work from anywhere with familiar tools and 24/7 technical and consulting support.
	Windows Virtual Desktop: 2-Hour Briefing: Bridgeall offers this free two-hour briefing to help you understand how implementing Windows Virtual Desktop can benefit your organization. Deliverables include an implementation outline and clearly defined next steps.
	Windows Virtual Desktop: 2-Week Implementation: Team Venti will collaborate with you to understand your objectives, requirements, and desired outcomes, then deliver a Windows Virtual Desktop experience with built-in, intelligent security to enable your business to scale based on your needs.

Experiencing Data Gaps issue in Azure Portal for Many Data Types - 02/25 - Resolved

Azure-Monitor-Team — Thu, 25 Feb 2021 14:31:33 GMT

Final Update: Thursday, 25 February 2021 14:23 UTC

We've confirmed that all systems are back to normal with no customer impact as of 02/25, 01:22 UTC. Our logs show the incident started on 02/25, 01:55 UTC and that during the 30 minutes that it took to resolve the issue some customers may have experienced intermittent data gaps and incorrect alert activation in East US region.

Root Cause: The failure was due to issue in one of our dependent service.
Incident Timeline: 30 minutes - 02/25, 01:22 UTC through 02/25, 01:55 UTC

We understand that customers rely on Application Insights as a critical service and apologize for any impact this incident caused.

-Harshita

Weekly Secure Score Progress Report

Safeena Begum Lepakshi — Thu, 25 Feb 2021 14:28:15 GMT

With the increasing number of resources in your Azure environment, you need a way to understand and prioritize the security hygiene of your environment and that’s where Azure Security Center comes into picture. Azure Security Center continuously assesses Azure resources, within a subscription to identify security issues and provides a list of security recommendations which leverages Azure Security Benchmark. Recommendations are grouped in Security Controls and some security controls will have a score attach to it. Each control is a logical group of related security recommendations and reflects your vulnerable attack surfaces.

From the continuous improvement perspective, it is imperative that you keep track of your Secure Score progress. This blog post, introduces an automation playbook that you can leverage to receive a Weekly Secure Score Progress report via email.

Requirements

This automation is querying Log Analytics Workspace data. Using Continuous export feature of Azure Security Center, make sure you are streaming Security Center data to the Log Analytics workspace. Also make sure you have enabled export of secure score. In the drop-down menu you can choose to export both the overall score of the subscription and the score per control. Please follow this article for enabling Continuous export option

After you deploy this automation, you will need to:

Authorize the azuremonitorlogs API connection to connect to the workspace
Authorize the Office 365 API connection to send emails
Authorize the Logic App managed identity

How does it work

The automation playbook is a Logic App that runs weekly, queries your Log Analytics Workspace and gathers data to send you weekly notification email that will update you details on your current Secure Score as well as Secure Score overtime progress report displayed in a beautiful graph format. In case you notice a spectacular change in the graph, you can continue to review the current security controls that are open and that needs to be prioritized along with the top five most important Security controls that needs to be fixed as early as possible – all in one email. Having this kind of detailed visibility is super important for Security analytics to keep track of the environment’s security hygiene. A sample email from the automation’s run is shown below:

Image 1: Example Email output

The sections that follow will go in details on each one of those steps.

How to deploy the automation playbook

You can find an ARM template that will deploy the Logic App Playbook and all necessary API connections in the Azure Security Center GitHub repository.

The ARM template uses your Log Analytics workspace and creates two API Connections, O365 and an Azure Monitor Logs API connection. As part of the template parameters, you will need to enter your Log Analytics Workspace Subscription ID, Log Analytics Workspace Resource Group Name and Log Analytics Workspace Name. During the deployment, it is highly recommended to create a new resource group, which will contain all the required resources for the playbook.

Once you have deployed the ARM template, you will have some manual steps to take before it works as expected.

Authorize azuremonitorlogs API Connection

This API connection is used to connect to your Log Analytics workspace. To authorize the API connection:

Go to the Resource Group you have used to deploy the template resources.
Select the azuremonitorlogs API connection and press 'Edit API connection'.
Press the 'Authorize' button.
Make sure to authenticate against Azure AD.
Press save

Authorize Office 365 API Connection

This API connection is used to send weekly secure score progress report email. To authorize the API connection:

Go to the Resource Group you have used to deploy the template resources.
Select the Office365 API connection and press 'Edit API connection'.
Press the 'Authorize' button.
Make sure to authenticate against Azure AD.
Press save.

Authorize the Logic App’s managed identity

The playbook uses a Managed Identity. You need to assign reader permissions to the subscriptions you want to export for the Manage Identity (explained in detail below). Notice you can assign permissions only as an owner and make sure all selected subscriptions registered to Azure Security Center.

To grant the managed identity reader access, you need to:

Make sure you have User Access Administrator or Owner permissions for this scope.
Go to the subscription/management group page.
Press 'Access Control (IAM)' on the navigation bar.
Press '+Add' and 'Add role assignment'.
Choose ‘Reader’ role.
Assign access to Logic App.
Choose the subscription where the logic app was deployed.
Choose the Logic App you have just deployed.
Press save.

GitHub Sample

You can leverage This logic app as well as many other can be found here: this automation from our GitHub repository using the links below:

Direct Link to GitHub sample

Azure Security Center GitHub Repo

Make sure to take advantage of this automation artifact and stay on top of your environment’s Security Posture.

Let us know your feedback using any of the channels listed in the Resources. Your feedback is highly appreciated.

Reviewer

Thanks to the amazing Yuri Diogenes, Principal Program Manager for envisioning this wonderful automation idea and for his feedbacks on this automation and the article.

Experiencing Data Gaps issue in Azure Portal for Many Data Types - 02/25 - Resolved

Azure-Monitor-Team — Thu, 25 Feb 2021 13:33:12 GMT

Final Update: Thursday, 25 February 2021 13:09 UTC

We've confirmed that all systems are back to normal with no customer impact as of 02/25, 12:51 UTC. Our logs show the incident started on 02/25, 11:51 UTC and that during the 1 Hour that it took to resolve the issue some customers may have experienced intermittent data gaps and incorrect alert activation in Canada Central region.

Root Cause: The failure was due to issue in one of our dependent service.
Incident Timeline: 1 Hour 0 Minutes - 02/25, 11:51 UTC through 02/25, 12:51 UTC.

We understand that customers rely on Application Insights as a critical service and apologize for any impact this incident caused.

-Vamshi

Initial Update: Thursday, 25 February 2021 12:47 UTC

We are aware of issues within Application Insights and are actively investigating. Some customers may experience intermittent data gaps and incorrect alert activation in Canada Central region.

Work Around: None.
Next Update: Before 02/25 17:00 UTC

We are working hard to resolve this issue and apologize for any inconvenience.
-Vamshi

Build Near Real Time Power BI reports using Synapse Link and SQL On-Demand easily

lionelp — Thu, 25 Feb 2021 11:23:55 GMT

This guide describes how to build near real time Power BI reports leveraging Synapse Link and SQL On-Demand. The intent is to demonstrate the simplicity of using these technologies.

Now let's start!

Ensure you have the new Synapse Workspace enabled in your subscription:

Ensure you have Synapse Link enabled at your Cosmos DB account

Create your Database and container, verify the container has the Analytical Store enabled

As a prerequisite you need to ensure you are running Cosmos DB Python SDK v4.1.0 by executing the code below in a notebook:

import azure.cosmos as cosmos print (cosmos.__version__)

Result should be 4.1.0, if it’s below then run this command in a new cell:

pip install --force-reinstall azure-cosmos

You’ll then need to open a new notebook to get the new version taken into account and run the following code:

import azure.cosmos from azure.cosmos.partition_key import PartitionKey database = cosmos_client.create_database_if_not_exists('RetailDemo') print('Database RetailDemo created') container = database.create_container_if_not_exists(id='WebsiteData', partition_key=PartitionKey(path='/CartID'),analytical_storage_ttl=-1) print('Container WebsiteData created')

Note that you have created in the database RetailDemo a container named WebsiteData partitioned on CartID and you enabled the Analytical Store with the the parameter "analytical_storage_ttl=-1"

Once the container is created you can check the Analytical Store is enabled by default:

Then let start to load a small sample of data, for this you just need to create a new notebook in your Cosmos DB Data Explorer as follow:

Code to run in your notebook:

%%upload --databaseName RetailDemo --containerName WebsiteData --url https://cosmosnotebooksdata.blob.core.windows.net/notebookdata/websiteData-small.json

Here is how the data look like now:

Once this first step is complete you have a container with a few items and an Analytical Store on it.

Next Step is to go to Synapse Workspace and from there to Synapse Studio, create a SQL On Demand Database and test querying the Cosmos DB Analytical Store from there.

You can either use an existing Synapse Workspace or create a new one and launch Synapse Studio directly on your Workspace.

To discover how to create a SQL On-Demand Database and start learning how it works simply use this link:

https://docs.microsoft.com/en-us/azure/synapse-analytics/quickstart-sql-on-demand

Now you can create a view in the On-Demand Database with the following syntax:

Click on the Develop icon on the left side to access the SQL script and Notebooks, click on the ‘+’ sign to get a new SQL script then connected to the SQL On-Demand engine and ‘myondemanddb’ database.

Code to run in your SQL script:

CREATE VIEW CosmosDBTest AS SELECT * FROM OPENROWSET ( 'CosmosDB', 'account=cosmosdblp2;database=RetailDemo;region=northeurope;key=your_key', WebsiteData ) AS q1

In my my current example region is northeurope.

Once the view is created, you can run simplistic queries such as the ones below and get the results from the CosmosDB container WebsiteData:

Code to run in your SQL script:

select * from CosmosDBTest; select country,sum(price) from CosmosDBTest group by country;

Note that Synapse Link take care of the JSON document flattening into a table format for you.

Now that the general mechanism is now in place so you are ready to build a Power BI report on top of this. In case you don’t have PBI Desktop already you can get it from there:

https://www.microsoft.com/en-us/download/details.aspx?id=58494

Start PBI Desktop and select the Azure SQL Database source and put the SQL On-Demand endpoint as the server name:

Do not forget to specify port 1433 (yours-ondemand.sql.azuresynapse.net,1433) and DirectQuery mode:

After giving your credentials let’s pick up the view CosmosDBTest that you created precedingly:

Here is the simple report we can build and let focus on Guinea-Bissau, the current price value is 7.5:

Let’s go back to CosmosDB and select the corresponding items where we can raise the price of the corresponding item by 100 for instance:

After a latency of around a minute the price increase is reflected on the report:

And what if you load a larger set of Data into your Cosmos DB container?

Let’s then take a larger data set and bulk load it into your container as follow:

How is this rendered in Power BI?

Almost there!

What if you publish to your Power BI Tenant?

This is it!

To wrap this up:

I enabled the Analytical Store on a Cosmos DB container
I created a SQL on-demand view on this container Analytical Store
I created a Power BI report connected to the SQL on-demand database as a regular Azure SQL Database

Call to Action:

Please try now the Cosmos DB to Spark integration by following these examples:
Synapse/Notebooks/PySpark/Synapse Link for Cosmos DB samples at main · Azure-Samples/Synapse (github.com)

Azure SQL Database or SQL Managed Instance Database used data space is much larger than expected

Sabrin_Alsahsah — Thu, 25 Feb 2021 11:07:45 GMT

The data space used in an Azure SQL database or SQL Managed Instance database can be larger than expected - and on occasions significantly larger than expected – when compared with the actual number of records in the individual tables. This can lead to the impression of a problem with the database storage itself. However, this is almost certainly never the case and the issue can be resolved by carrying out a few maintenance procedures.

Storage space types for a database

To understand why this happens we should first review the different types of storage space used to the manage the file space of a database:

Used Data space - This is the amount of space used to store the database data, which is stored in 8 KB pages. Generally, the space used increases and decreases due to inserts and deletes respectively. In some cases, the space used does not change on inserts or deletes depending on the amount and pattern of data involved in the operation and any fragmentation. For example, deleting one row from every data page does not necessarily decreasing the space used.
Allocated Data space - The amount of formatted file space made available for storing database data. The amount of space allocated grows automatically, but never decreases after deletes. This behavior ensures that future inserts are faster since space does not need to be reformatted.
Data space allocated but unused - The difference between the amount of data space allocated and data space used. This quantity represents the maximum amount of free space that can be reclaimed by shrinking database data files.
Data max size - The maximum amount of space that can be used for storing database data.

The following diagram illustrates the relationship between the different types of storage space for a database:

Maintenance plan

Now we know that the used data space does not always change when inserts and deletes are performed and therefore can be greater than what could be expected when considering the number of records in the tables. How do we resolve this? This can be achieved by following the maintenance steps below to reduce index fragmentation, cleaning up any ghost records and then cleaning the Persisted Version Store:

1) Index fragmentation

Fragmentation exists when indexes have pages in which the logical ordering within the index, based on the key value of the index, does not match the physical ordering inside the index pages. The following example finds the average fragmentation percentage of all indexes in the Sales.SalesOrderDetail table in the AdventureWorks2012 database:

SELECT a.index_id, name, avg_fragmentation_in_percent, fragment_count, avg_fragment_size_in_pages FROM sys.dm_db_index_physical_stats (DB_ID('AdventureWorks2012'), object_id('Sales.SalesOrderDetail'), NULL, NULL, NULL) AS a JOIN sys.indexes AS b ON a.object_id = b.object_id AND a.index_id = b.index_id

The following links detail how to rebuild indexes to reduce the fragmentation (the second link includes an index and statistics maintenance script you can download):

2) Ghost Records

Ghost records are records that are deleted from a leaf level of an index page but aren't physically removed from the page. Instead, the record is marked as ghosted meaning to be deleted. This means that the row stays on the page, but the row header is modified to indicate the row is a confirmed ghost record. The reason behind this is to optimize performance during a delete operation. Ghosts are necessary for row-level locking, but also necessary for snapshot isolation where we need to maintain the older versions of rows. The number of ghost records can build up in a database until they are cleaned. The database engine runs a ghost cleanup process in the background that sometime after the delete transaction is committed, physically removes ghosted records from pages.

It is also possible the ghost cleanup process is disabled (not generally recommended). Disabling the ghost cleanup process can cause your database to grow unnecessarily large and can lead to performance issues. You can check if the ghost cleanup process is disabled by running the following command:

DBCC Tracestatus (661)

If the “Status” flag is set to 0, then this indicates that the ghost clean-up is enabled. If “Status” flag is set 1, then the process has been disabled.

To confirm if there are ghost records on your database execute this T-SQL:

SELECT sum(ghost_record_count) total_ghost_records, db_name(database_id) FROM sys.dm_db_index_physical_stats (NULL, NULL, NULL, NULL, 'SAMPLED') GROUP BY database_id ORDER BY total_ghost_records DESC

If there are ghost records, you can delete the ghost records manually from the database by executing an index rebuild. This process reclaims disk space by compacting the pages based on the specified or existing fill factor setting and reorders the index rows in adjoining pages.

Another option is to use sp_clean_db_file_free_space to clean all pages in all files of the database. For example, this T-SQL will clean the ghost records from the AdventureWorks2012 database:

USE master; GO EXEC sp_clean_db_free_space @dbname = N'AdventureWorks2012';

For more details about the Ghost clean process refer to the following guide: Ghost cleanup process guide - SQL Server | Microsoft Docs

3) Persisted Version Store (PVS)

PVS is a database engine mechanism for persisting the row versions generated in the database itself instead of the traditional tempdb version store. PVS enables resource isolation and improves availability of readable secondaries. The accelerated database recovery (ADR) feature uses PVS.

You can check the database PVS size by running the following T-SQL:

SELECT DB_Name(database_id), persistent_version_store_size_kb FROM sys.dm_tran_persistent_version_store_stats WHERE database_id = add your database ID

If PVS size is large you can enforce the PVS cleanup by executing the following T-SQL:

EXEC sys.sp_persistent_version_cleanup [database_name]

The links below contains more information about PVS and ADR:

Database shrink process

If required, the DBCC SHRINKFILE command can be executed after the above maintenance procedures to release allocated space.

The following example shrinks the size of a data file named DataFile1 in the UserDB user database to 7 MB.

USE UserDB; GO DBCC SHRINKFILE (DataFile1, 7); GO

However, there are several best practices to be aware of when considering using DBCC SHRINKFILE:

A shrink operation is most effective after an operation that creates a large amount of unused space, such as a truncate table or a drop table operation.
Most databases require some available free space for regular day-to-day operations. If you shrink a database repeatedly and its size grows again, then it's likely that regular operations require the shrunk space. In these cases, repeatedly shrinking the database is a wasted operation.
A shrink operation doesn't preserve the fragmentation state of indexes in the database, and generally increases fragmentation to a certain degree. This is another reason not to repeatedly shrink the database.
Shrink multiple files in the same database sequentially instead of concurrently. Contention on system tables can cause blocking and lead to delays.

More details about DBCC SHRINKFILE are contained in this link: DBCC SHRINKFILE (Transact-SQL) - SQL Server | Microsoft Docs

Conclusion

In this article we have considered the scenario where the used size of an Azure SQL Database or SQL Managed Instance Database is much larger than expected when compared with the actual number of records in the tables.

This can be resolved by carrying out a few maintenance procedures such as rebuilding indexes to reduce index fragmentation, cleaning up ghost records and cleaning the Persisted Version Store. If required, the DBCC SHRINKFILE command can also be executed afterwards to release allocated space.

I hope this article was helpful for you, please feel free to share your feedback in the comments section.

Sabrin Alsahsah

Experiencing Data Latency Issue in Azure portal for Log Search Alerts - 02/25 - Resolved

Azure-Monitor-Team — Thu, 25 Feb 2021 12:04:15 GMT

Final Update: Thursday, 25 February 2021 11:53 UTC

We've confirmed that all systems are back to normal with no customer impact as of 02/25, 11:35 UTC. Our logs show the incident started on 02/25, 09:25 UTC and that during the 2 hours and 10 minutes that it took to resolve the issue some customers may have experienced issues with missed or delayed Log Search alerts or experienced difficulties accessing data for resources hosted in East US region.

Root Cause: The failure was due to a backend service becoming unhealthy.
Incident Timeline: 2 Hours & 10 minutes - 02/25, 09:25 UTC through 02/25, 11:35 UTC

We understand that customers rely on Log Search Alerts as a critical service and apologize for any impact this incident caused.

-Harshita

Initial Update: Thursday, 25 February 2021 10:32 UTC

We are aware of issues within Log Search Alerts and are actively investigating. Some Customers may experience issues with missed or delayed Log Search alerts or experienced difficulties accessing data for resources hosted in East US region.

Work Around: None
Next Update: Before 02/25 14:00 UTC

We are working hard to resolve this issue and apologize for any inconvenience.
-Harshita

Introducing list sharing from personal accounts to work accounts in Microsoft To Do

terrylarsen — Thu, 25 Feb 2021 09:04:34 GMT

Microsoft To Do gives you a personal and intuitive way to stay organized and make the most of every day. Today, most of our tasks involve collaboration with multiple people – something that list sharing can make easier. Whether you want to share a list of work items with your colleagues or a grocery list with a loved one, To Do makes it easy to collaborate and get things done together.

List sharing in To Do was originally restricted to sharing between personal accounts and sharing between work (or school) accounts within the same organization. However, many of you wanted to be able to share between personal and work accounts.

We listened to your feedback and are pleased to announce that you can now share lists from personal accounts to work accounts in Microsoft To Do.

To Do supports list sharing for the following scenarios:

Sharing between personal Microsoft accounts.
Sharing between accounts within the same place of work or education.
Sharing between personal accounts and work accounts. Work accounts can join lists owned by personal accounts provided enterprise admins have enabled this feature for their respective organizations. However, personal accounts cannot join lists owned by work accounts.

Whether it’s a grocery list that your spouse wants to share from a personal account with your work account or a work-related list that an external vendor team can share from their personal accounts with your work account, collaborating on To Do has never been easier.

Want to know more? You can read up on list sharing here.

We can’t wait to hear what you think about this new feature - let us know in the comments below or over on Twitter and Facebook. You can also write to us at todofeedback@microsoft.com.

Experiencing Data Latency Issue in Azure portal for Log Analytics - 02/25 - Resolved

Azure-Monitor-Team — Thu, 25 Feb 2021 09:22:13 GMT

Final Update: Thursday, 25 February 2021 09:21 UTC

We've confirmed that all systems are back to normal with no customer impact as of 02/25, 08:55 UTC. Our logs show the incident started on 02/25, 07:24 UTC and that during the 1 Hours & 31 minutes that it took to resolve the issue some customers may have experienced data latency and incorrect alert activation in West Europe region.

Root Cause: The failure was due to issue with one of our backend service which became unhealthy during the impacted window.
Incident Timeline: 1 Hours & 31 minutes - 02/25, 07:24 UTC through 02/25, 08:55 UTC

We understand that customers rely on Azure Log Analytics as a critical service and apologize for any impact this incident caused.

-Vyom

Update: Thursday, 25 February 2021 08:32 UTC

Root cause has been isolated to one of the backend dependency is down. To address this, engineers are currently working. Some customers may experience data latency and incorrect alert activation in West Europe region.

Next Update: Before 02/25 11:00 UTC

-Vyom

Experiencing Data Access Issue in Azure portal for Log Analytics - 02/25 - Resolved

Azure-Monitor-Team — Thu, 25 Feb 2021 07:51:07 GMT

Final Update: Thursday, 25 February 2021 07:25 UTC

We've confirmed that all systems are back to normal with no customer impact as of 02/25, 06:50 UTC. Our logs show the incident started on 02/25, 00:30 UTC and that during the 6 Hours 20 Minutes that it took to resolve the issue some customers may have experienced delayed or missed Log Search Alerts and Queries for customer data would not return expected results in West US 2 region.

Root Cause: Our investigation determined that a backend services became unhealthy, preventing requests from completing.
Incident Timeline: 6 Hours & 20 minutes - 02/25, 00:30 UTC through 02/25, 06:50 UTC.

We understand that customers rely on Azure Log Analytics as a critical service and apologize for any impact this incident caused.

-Vamshi

Initial Update: Thursday, 25 February 2021 04:55 UTC

We are aware of issues within Log Analytics and are actively investigating. Some customers may experience delayed or missed Log Search Alerts and Queries for customer data would not return expected results in West US 2 region.

Work Around: None
Next Update: Before 02/25 11:00 UTC

We are working hard to resolve this issue and apologize for any inconvenience.
-Harshita

Latest Azure VMware Solution Resources

henryyan — Thu, 25 Feb 2021 03:32:36 GMT

Extend to the Cloud with Azure VMware Solution

Learn how to migrate, modernize, simplify.

Tuesday, March 23, 2021 | 10:00 AM-2:00 PM Pacific Time

Learn how to extend your VMware investments to the cloud at the Azure VMware Solution digital event on March 23. Register now! 

Training Videos

Explore training videos on the Microsoft Azure YouTube Channel to learn how you can run your VMware workloads natively on Azure.

Documentation

Learn how to use Azure VMware Solution to deploy a VMware private cloud to Azure.

Cumulative Update #23 for SQL Server 2017 RTM

HristinaSQL — Thu, 25 Feb 2021 00:27:45 GMT

The 23rd cumulative update release for SQL Server 2017 RTM is now available for download at the Microsoft Downloads site. Please note that registration is no longer required to download Cumulative updates.
To learn more about the release or servicing model, please visit:

CU23 KB Article: https://support.microsoft.com/en-us/help/5000685

Starting with SQL Server 2017, we adopted a new modern servicing model. Please refer to our blog for more details on Modern Servicing Model for SQL Server

Microsoft® SQL Server® 2017 RTM Latest Cumulative Update: https://www.microsoft.com/download/details.aspx?id=56128
Update Center for Microsoft SQL Server: https://docs.microsoft.com/en-us/sql/database-engine/install-windows/latest-updates-for-microsoft-sql-server

2020 Update for Surface Hub v1 available via Windows Update

Yoav Barzilay — Wed, 24 Feb 2021 22:52:54 GMT

We're pleased to announce the Windows 10 Team 2020 Update will be available via Windows Update to first-generation Surface Hub 55” and 84” devices, beginning February 24.

We will initially be making Windows 10 Team 2020 available over the coming weeks, as noted below, to help ensure the highest quality update experience:

Feb 24: Surface Hub v1 with full telemetry enabled in Australia, New Zealand, Japan, Canada, Mexico, Belgium, Italy, Germany, the Netherlands, Switzerland, and UK.
March 2: Surface Hub v1 with full telemetry enabled in all global markets.

Note: If the Windows 10 Team 2020 Update does not appear in the list of available Windows Updates, you can temporarily turn on full telemetry (aka Windows diagnostics). After enabling full telemetry and restarting the device, it may take 24 hours or more before the update appears. To check, login to Surface Hub v1 as Admin, select Settings > Update & Security > Check for updates.

Please also read the known issues list before updating your devices to Windows 10 Team 2020.

Updating via Surface Hub Recovery Tool

As an alternative to Windows Update, all first-generation Surface Hubs can be updated from Windows 10 Team, version 1703 (RS2)¹ to the new Windows 10 Team 2020 Update with the Surface Hub Recovery Tool (SHRT)² available for download (select SurfaceHub_Recovery_v2.7.139.0.msi). When you run the SHRT tool, you will be prompted to select the 2020 Update image - aka 20H2 - as shown in the following screenshot:

For more information about using the SHRT tool including step-by-step instructions, refer to Using the Surface Hub Recovery Tool.

References

1. Windows 10 Team, version 1703 (RS2), will remain supported through March 16, 2021.

2. Any first-generation Surface Hub impacted by the Windows 10 Team 2020 Update may be restored and updated via the Surface Hub Recovery Tool (SHRT).

Latest Linux on Azure Resources

henryyan — Tue, 02 Mar 2021 04:16:29 GMT

Welcome to the resource hub for Linux on Azure and staying up to date for learning materials.

Microsoft Learn

Explore the Linux on Azure learning path and learn how to move / build your first Linux workloads to Azure, whether you want to explore VM based Linux solutions or AKS related services. Start now and accomplish specific tasks with individual learning modules to run your project of Linux on Azure.

Linux on Azure Skilling Video series

Linux on Azure playlist is available on the Microsoft Azure YouTube Channel for your review! Learn Linux fundamentals from Red Hat, SUSE, and Ubuntu. Discover how to run your Open Source workloads such as Elastic, Cloudera and VMware Tanzu on Azure, and how to use the tooling provided by HashiCorp and Microsoft to expedite your journey to the Azure Cloud!

Other Linux resources

Get all of the resources for Linux on Azure at Azure.com/Linux

Developer Guidance for Hardware-enforced Stack Protection

Jin_Lin — Wed, 24 Feb 2021 20:49:35 GMT

In March 2020, we shared some preliminary information about a new security feature in Windows called Hardware-enforced Stack Protection based on Intel’s Control-flow Enforcement Technology (CET). Today, we are excited to share the next level of details with our developer community around protecting user-mode applications with this feature. Please see requirements section for hardware and OS requirements to take advantage of Hardware-enforced Stack Protection.

Starting from the 11C latest cumulative update for 20H1 (19041) and 20H2 (19042) versions of Windows 10, we’ve enabled user mode Hardware-enforced Stack Protection for supported hardware. This exploit mitigation will protect the return address, and work with other Windows mitigations to prevent exploit techniques that aim to achieve arbitrary code execution. When attackers find a vulnerability that allows them to overwrite values on the stack, a common exploit technique is to overwrite return addresses into attacker-defined locations to build a malicious payload. This technique is known as return-oriented programming (ROP). More details on ROP and hardware shadow stacks is in this kernel blog.

For user mode applications, this mitigation is opt-in, and the following details are intended to aid developers in understanding how to build protected applications. We will describe in detail the two policies in Hardware-enforced Stack Protection: 1) shadow stack 2) instruction pointer validation. Shadow stack hardens the return address and instruction pointer validation protects exception handling targets.

Shadow Stack

Shadow stack is a hardware-enforced read-only memory region that helps keep record of the intended control-flow of the program. On supported hardware, call instructions push the return address on both stacks and return instructions compare the values and issues a CPU exception if there is a return address mismatch. Due to these required hardware capabilities only newer processors will have this feature.

To enable shadow stack enforcement on an application, you only need to recompile the application with the /CETCOMPAT linker flag (available in Visual Studio 2019 16.7 Preview 4).

Generally, code changes are not needed and the only modification to the binary is a bit in the PE header. However, if your code behavior includes modifying the return addresses on the stack (which results in mismatch with the shadow stack), then the hijacking code must be removed.

Applications can also choose to dynamically enable shadow stack enforcement, by using the PROC_THREAD_ATTIBUTE_MITIGATION_POLICY attribute in CreateProcess. This allows programs with multiple executables with the same name to specify specific processes to enable enforcement.

Shadow stack enforcement by default is in compatibility mode. Compatibility mode provides a more flexible enforcement of shadow stacks, at module granularity. When a return address mismatch occurs in this mode, it is checked to see if 1) it is not in an image binary (from dynamic code) or 2) in a module that is not compiled for /CETCOMPAT. If either hold true, the execution is allowed to continue. This way, you can slowly increase the coverage of the mitigation, by compiling more modules with /CETCOMPAT at your own pace. To protect dynamic code in compatibility mode, there is a new API, SetProcessDynamicEnforcedCetCompatibleRanges, to allow you to specify a range of virtual addresses to enforce this mitigation. Note that by default this API can only be called from outside the target process for security purposes.

Note that all native 64-bit Windows DLLs are compiled with /CETCOMPAT.

Strict mode, by definition, strictly enforces shadow stack protections and will terminate the process if the intended return address is also not on the shadow stack.

Today, it is recommended to enable your application in compatibility mode, as third-party DLLs may be injected into your process, and subsequently perform return address hijacking. We are working with our ecosystem developers to clean up any of this behavior. At the current time, we recommend beginning by enabling compatibility mode enforcement for your application.

The following diagram illustrates how the system behaves under shadow stack. When a return address mismatch occurs, the CPU raises a #CP exception:

As you can see, return address mismatches cause a trap to the kernel, which comes with a performance hit even if the mismatch is forgiven and execution is allowed to continue.

Instruction Pointer Validation

With the presence of shadow stacks, one of the next exploit techniques attackers may use to hijack control flow is corrupting the instruction pointer value inside the CONTEXT structure passed into system calls that redirect the execution of a thread, such as NtContinue and SetThreadContext. To provide a comprehensive control-flow integrity mitigation, Hardware-enforced Stack Protection includes an additional mitigation to validate the instruction pointer during exception handling. It is important to keep this mitigation in mind as well when testing for compatibility.

When shadow stacks are enabled for an application, SetThreadContext is enlightened to validate the user-supplied instruction pointer. Calls are allowed to proceed only if the value is found on the shadow stack (otherwise the call will fail).

For structured exception handling, RtlRestoreContext/NtContinue is hardened by a parallel mitigation, EH Continuation Metadata (EHCONT), by using the /guard:ehcont flag.

When this flag is specified, the compiler will include metadata in the binary that has a table of valid exception handling continuation targets. The list of continuation targets is generated by the linker for compiled code. For dynamic code, continuation targets should be specified using SetProcessDynamicEHContinuationTargets (similarly can only be called from outside the target process by default). With this feature enabled, the user-supplied instruction pointer will be checked to see if it is 1) on the shadow stack or 2) in the EH continuation data, before allowing the call to proceed (otherwise the call will fail). Note that if the binary does not contain EHCONT data (legacy binary), then the call is allowed to proceed.

Additionally, an application can be compiled for EHCONT even without shadow stack protection, in which the user-supplied instruction pointer must be present in the EH continuation data.

Common Violations

To properly build your application for Hardware-enforced Stack Protection, ensure there is a good understanding of how these security mitigations are enforced. Since shadow stacks are present throughout the lifetime of the process, the test matrix is enabling the above mitigations and ensure all code paths do not violate the security guarantees. The goal is to ensure present application code does not perform any behavior deemed unsecure under these mitigations.

Here are some examples of behaviors that violate shadow stacks:

Certain code obfuscation techniques will not automatically work with shadow stacks. As mentioned above, CALL and RET are enlightened to push onto the shadow stack and perform return address comparisons. Instruction combinations like PUSH/RET will not work with shadow stacks, as the corresponding return address is not present on the shadow stack when RET is performed. One recommendation here is instead using a (Control flow guard protected) JMP instruction.

Additionally, techniques that manually return to a previous call frame that is not the preceding call frame will also need to be shadow stack aware. In this case, it is recommended to use the _incsspq intrinsic to pop return addresses off the shadow stack so that it is in sync with the call stack.

User Interfaces

There are some user interfaces to help you understand the state of enforcement of processes on the machine. In task manager, adding the “Hardware-enforced Stack Protection” column in the “Details” tab will indicate processes are shadow stack protected, and whether they are in compatibility (compatible modules only) or strict (all modules) mode.

Additionally, this mitigation can be controlled similar to other exploit protections, including toggling the enforcement using the Windows Defender UI, Group Policy, PowerShell, and other facilities. Use UserShadowStack and UserShadowStackStrictMode as the parameter keyword to manually toggle enforcement in compatibility and strict mode, respectively. Use AuditUserShadowStack to enable audit mode.

Requirements

You can begin building and testing your application to support Hardware-enforced Stack Protection today, by ensuring you have the following:

CET Hardware: 11^th Gen Intel Core Mobile processors and AMD Zen 3 Core (and newer)

Hardware-enforced Stack Protection capable OS: 19041.622 or 19042.622 and newer versions

Conclusion

We will continue to strive towards investing in exploit mitigations to make Windows 10 the most secure operating system. These mitigations will help proactively prohibit an attacker’s ability to hijack your program in the event a vulnerability is discovered. Note in the current release, this mitigation is only supported in 64-bit code. There is no support for 32-bit code, WoW64, or in Guest Virtual Machines at the moment.

In the latest canary builds of Edge (version 90), Hardware-enforced Stack Protection is enabled in compatibility mode on the browser and a few non-sandboxed processes. In upcoming releases, there will be continued investments in expanding the list of processes protected by this mitigation. Please try it out and provide your feedback. You can send related questions to CETQuestions@microsoft.com.

Kernel Protection team - Jin Lin, Jason Lin, Matthew Woolman

How to manage SAP IQ License in HA Scenario

jitendrasingh — Fri, 26 Feb 2021 22:51:48 GMT

How to manage SAP IQ License in HA Scenario

This blog is an extension to Deploy SAP IQ-NLS HA Solution using Azure NetApp Files on SUSE Linux Enterprise Server

As part of this blog, we will learn how to manage the SAP IQ license when configured for High-Availability on ANF.

Problem Statement:

The SAP IQ High Availability Architecture on ANF proposes to hosts the SAP IQ database on ANF Volume.

As part of failover, the database filesystem [ANF Volume] moves from Node1 to Node2. The files including the license file on ANF Volume remain static, meaning the license will have Node1 hostname [Old Primary node] when it failovers to Node2 [New Primary node] stopping SAP IQ from start-up on Node2 as part of failover.

The above architecture points to an update (option) where SBD VM's can be replaced with Azure Fencing Agent to simplify the architecture.

Solution:

Please refer to SAP Note 2628620, 2376507 to understand further on SAP IQ License generation and options.

Follow the below steps to update the license key for ANF volume

1. Based on the SAP IQ system, generate Production type CP license or non-production type DT for Primary node.

2. Generate Standby license type SF for Secondary node. System type must be Backup system & License Type should be Standby Instance [IB] [On SAP Portal, the selection will be IB].

3. Create two separate .lmp files with below format <hostname1>.lmp

In this LT should be equal to CP (for prod) and DT (for non-prod)

<hostname2>.lmp

In this LT should be equal to SF (for Standby node)

4. Change IQ startup script (sapiq_start.sh) and add below code lines into the script cd <path to database directory

hostnm=`hostname`

if [ -f ./${hostnm}.lmp ]; then

cp ${hostnm}.lmp SAPIQDB_<SID>.lmp fi

5. Start the cluster and execute HA test cases for validation.

How to use Azure Firewall Premium with WVD

Nathan Swift — Wed, 24 Feb 2021 19:53:00 GMT

Azure Firewall Premium is now in Public Preview and offers many new and powerful capabilities that can be used in your Windows Virtual Desktop environment. Several of these capabilities are Intrusion Detection and Prevention System (IDPS) and Web Categories. You can learn more about these capabilities and how they protect Windows Virtual Desktop environments plus some sample application and network rules and their anatomy in this post.

Assets created in this article can be found here:

If you would like to test along check out the instructions on how to deploy Azure Firewall premium. Be sure to take in consideration the WVD Virtual network and that there is dedicated subnet for Azure Firewall. The minimum IP address space in CIDR notation needed is /26 for the dedicated Azure Firewall subnet. The subnet must also be named AzureFirewallSubnet .Below is a sample template I use in pilots using a single Virtual Network with multiple subnets and segmentation for Windows Virtual Desktop.

After Azure Firewall Premium is deployed be sure to create a User Defined Route by creating a Route Table in Azure

Once created go to the route table and add a route.

When adding the route you can in testing add a quad zero route of 0.0.0.0/0 which will steer all public traffic public to a next hop address of the Azure Firewall Premium private IP address.

If you have additional VNETs or Subnets for testing, add more granular routes xx.xx.xx.xx/yy to each Azure private IP address space that needs to pass to the Azure Firewall, be sure to include next hop address of the Azure Firewall Premium private IP address.

Once added we can associate the route to the Windows Virtual Desktop subnet. Once associated the traffic will flow to Azure Firewall Premium as next hop.

Intrusion Detection and Prevention System (IDPS)

Azure Firewall Premium now brings Intrusion Detection and Prevention System (IDPS) to your virtual network and Windows Virtual Desktop Host Pool internet bound communications. Under the hood is an abstracted Suricata engine and the signatures fed by powerful third party watchlists. IDPS is a great feature to use as you may allow some openness to your Internet bound traffic within Windows Virtual Desktop. As employees surf the web or execute programs, IDPS can scan each network connection against its rules and then Audit or Audit and Deny traffic based on signature matches.

To turn on this feature with Azure Firewall policy applied to it, you will find a new blade for IDPS (preview). Please note this will only work for Azure Firewall premium. In addition, be sure to review configuring your Azure Firewall policies to use KeyVault and certificates to do TLS inspection, this will greatly enhance IDPS.

Once turned on you will want to send the Azure Firewall Diagnostic traffic to Log Analytics or your SIEM of choice. This is because it will help record the Signatures discovered that were audited or denied in IDPS so you can use Signature Rules.

You can set this up by going to the Azure Firewall resource and to the Diagnostic Settings blade and Add Diagnostic Settings.

Then define and send the logs to Log Analytics workspace

Within Log Analytics you can use the following Query to look at the traffic that was alerted or alerted and denied on with IDPS, including the signature in the event you need to tweak the Signature to allow or deny.

AzureDiagnostics | where TimeGenerated >= ago(90d) | where Category == "AzureFirewallNetworkRule" | where OperationName == "AzureFirewallIDSLog" | parse msg_s with * "TCP request from " Source " to " Destination ". Action: " ActionTaken ". Rule: " IDPSSig ". IDS: " IDSMessage ". Priority: " Priority ". Classification: " Classification | project TimeGenerated, Source, Destination, ActionTaken, IDPSSig, IDSMessage, Priority, Classification

Once you have a signature, you can use this in Azure Firewall polies and IDPS (Preview) blade further to help with over riding the default mode you set IDPS on earlier via the signatures. This can help with false positives if Deny is default for IDPS mode or for adding to blocklists you generate in a permissive Alert Only IDPS mode

Finally if you need certain WVD Host Pool Members or other Components of the architecture to bypass IDPS all together you can set this within the Bypass list. You may have a WVD Host Pool that includes a legacy application that does not have methods of supporting certificates from the Azure Firewall. Most modern applications and web browsers support this but if you do encounter one you can use this bypass list. The Bypass list allows a 5 tuple network rule configuration. Once configured the servers originating traffic will no longer pass through IDPS.

Web Categories

Another approach is to use web categories to deny or allow traffic based on website characteristics like social media sites or gambling websites as an example. There are 64 web categories across differing classifications for selection. This is certainly appealing to block or allow web content to your employees utilizing their Windows 10 interface to the Internet through Windows Virtual Desktop. Below is an example of creating a rule collection and using web categories to deny traffic from Windows Virtual Desktop host pools. An even interesting feature is if you were to block News for instance under Azure Firewall premium a URL like www.google.com/news would be blocked under the web category so it extends beyond the FQDN and into the URL path.

{ "ruleType": "ApplicationRule", "name": "AllowNews", "protocols": [ { "protocolType": "Https", "port": 443 } ], "webCategories": [ "business", "webbasedemail" ], "sourceAddresses": [ "*" ], "terminateTLS": true }

Anatomy of a Firewall Rule Collection

When using Azure Firewall to protect your Windows Virtual Desktop host pools, there are special rules that have to be implemented beyond the Windows Virtual Desktop tag to allow for the host pools to communicate properly with the Host Traffic. The needed WVD rules are outlined here but you can use the rules as an example to walkthrough the anatomy of Azure Firewall rule as code.

One of the capabilities of Azure Firewall is configuration as code, in particular ARM Template code in Declarative JSON. As an example you will walk through the firewall rule as code.

You will need a couple rule collections to allow traffic for the Windows Virtual Desktop host pools to communicate outbound to the management plane. A rule collection code is very simple, it allows you to define a collection of rules for the Azure Firewall, the priority they will take, the action of allowing or denying traffic in those rules and the rules themselves. An example below.

{ "name": "AllowAdditionalWVDApp", "priority": 203, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [] }

In the next section you will want to define those rules that fit within the collection.

According to the Azure documentation you will use an Application rule and a FQDN tag. The following rule code fits into the rule collection code “rules”: […]

{ "ruleType": "ApplicationRule", "name": "AllowWVDTag", "protocols":[ { "protocolType":"Https", "port":443 }, ], "fqdnTags": [ "WindowsVirtualDesktop" ], "targetFqdns": [], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "sourceIpGroups": [], "terminateTLS":false },

“sourceAddress”: [ xx.xx.xx.xx/yy ] is the Network CIDR range of the subnet where your Azure Virtual Desktop host pools are located in.

This rule will allow HTTPS traffic from the Windows Virtual Desktop host pool VMs to communicate with the management plane of WVD via the Tag.

You need to add some additional rules as well into the rule collection set, these allow the Windows Virtual Desktop host pool VMs to communicate with the data plane of WVD.

According to the documentation, the data plane of the WVD can be unique per instance. The first example may be a bit too wide open for your security posture and risk. In order to have more restrictive rules that are granular to only allow specific access to the data plane of WVD; the documentation provides you with a KQL query you can run against the Azure Firewall’s diagnostic logs.

AzureDiagnostics | where Category == "AzureFirewallApplicationRule" | search "Deny" | search "gsm*eh.servicebus.windows.net" or "gsm*xt.blob.core.windows.net" or "gsm*xt.table.core.windows.net" | parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int " to " FQDN ":" * | project TimeGenerated,Protocol,FQDN

Another method to find these specific FQDNs of the WVD data layer can also be found on the Host Pool VM themselves in the Event Viewer. Many thanks to Eric Moore who discovered this technique. This can be useful if you are putting in an Azure Firewall into an existing WVD host pool to prevent interruption.

On the WVD Host Pool VM Open Event Viewer, go to Windows Logs and Application

Filter on Source: WVD-Agent and Event ID: 3701

Scroll through the events until you come across one that exposes a larger list more then 4 FQDNs

Now that you have obtained the FQDNs unique to your WVD instances you can create additional Application Rules to allow the Windows Virtual Desktop host pools to communicate on the data access layer. The WVD Data access layer consists of unique Azure Service Bus, Storage Accounts blobs, tables, and queues.

{ "ruleType": "ApplicationRule", "name": "AllowWVDServicebus", "protocols":[ { "protocolType":"Https", "port":443 } ], "targetUrls":[ "gsm1860291218eh.servicebus.windows.net/*", "gsm1402610616eh.servicebus.windows.net/*", "gsm2121010078eh.servicebus.windows.net/*", "gsm2076831083eh.servicebus.windows.net/*" ], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "terminateTLS":true }, { "ruleType": "ApplicationRule", "name": "AllowWVDBlob", "protocols":[ { "protocolType":"Https", "port":443 } ], "targetUrls":[ "gsm1860291218xt.blob.core.windows.net/*", "gsm1402610616xt.blob.core.windows.net/*,", "gsm2121010078xt.blob.core.windows.net/*", "gsm2076831083xt.blob.core.windows.net/*" ], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "terminateTLS":true }, { "ruleType": "ApplicationRule", "name": "AllowWVDTable", "protocols":[ { "protocolType":"Https", "port":443 } ], "targetUrls":[ "gsm1860291218xt.table.core.windows.net/*", "gsm1402610616xt.table.core.windows.net/*", "gsm2121010078xt.table.core.windows.net/*", "gsm2076831083xt.table.core.windows.net/*" ], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "terminateTLS":true }, { "ruleType": "ApplicationRule", "name": "AllowWVDQueue", "protocols":[ { "protocolType":"Https", "port":443 } ], "targetUrls":[ "gsm1860291218xt.queue.core.windows.net/*", "gsm1402610616xt.queue.core.windows.net/*", "gsm2121010078xt.queue.core.windows.net/*", "gsm2076831083xt.queue.core.windows.net/*" ], "sourceAddresses":[ "XX.XX.XX.XX/YY" ], "terminateTLS":true },

“sourceAddress”: [ xx.xx.xx.xx/yy ] is the Network CIDR rage of the subnet where your Azure Virtual Desktop host pools are located in.

This rule will allow HTTPS traffic from the Windows Virtual Desktop host pool VMs to communicate with the unique data plane of WVD.

Be sure to review configuring your Azure Firewall policies to use KeyVault and certificates to do TLS inspection, this will allow the use of the URL / within the application rules.

The rules above are reflected in the Azure Portal within the Firewall Policy under Application Rules

You will now create a new rule collection set for the Network based rules to allow certain traffic from the Windows Virtual Desktop host pools.

{ "name": "AllowAdditionalWVDNetwork", "priority": 103, "ruleCollectionType": "FirewallPolicyFilterRuleCollection", "action": { "type": "Allow" }, "rules": [...] }

Azure documentation states the following for Network based rules

Those rules will look like the following in code between the rule collection code “rules”: […]

{ "ruleType": "NetworkRule", "name": "AllowADDNS", "ipProtocols": [ "TCP", "UDP" ], "sourceAddresses": [ "XX.XX.XX.XX/YY" ], "destinationAddresses": [ "ZZ.ZZ.ZZ.ZZ" ], "sourceIpGroups": [], "destinationIpGroups": [], "destinationFqdns": [], "destinationPorts": [ "53" ] },

“sourceAddress”: [ xx.xx.xx.xx/yy ] is the Network CIDR range of the subnet where your Azure Virtual Desktop host pools are located in.

This first network rule in the ruleset Allows the WVD Host Pools to communicate TCP 53 with Local AD DNS servers. ZZ.ZZ.ZZ.ZZ is the AD DNS Server(s). Note if you are restrictive in the communication between Host Pool and Active Directory Domain Services subnet, you may want to also open additional ports outlined here for Active Directory.

An example of the next rule is below

{ "ruleType": "NetworkRule", "name": "AllowAzureKMS", "ipProtocols": [ "TCP" ], "sourceAddresses": [ "XX.XX.XX.XX/YY" ], "destinationAddresses": [], "sourceIpGroups": [], "destinationIpGroups": [], "destinationFqdns": [ "kms.core.windows.net" ], "destinationPorts": [ "1688" ] },

The second network rule is allowing the WVD Host Pools to communicate with the Azure KMS service. What is interesting here is the use of a FQDN in a Network Rule rather than an IP address for destination. A couple months back Azure Firewall introduced this capability which allows the Azure Firewall to Leverage Azure DNS or a Custom DNS to lookup answers for the network rule. This can simplify a lot of rules now since many Azure services or Microsoft Services or 3^rd party cloud services have a FQDN service that’s IP addresses can change from time to time.

If you are using a Network rule like this with FQDN, please take note you need to update the Azure Firewall to utilize FQDNs in network rules, the following article goes into more detail.

The ARM template and Infrastructure as code looks like this under the resource Microsoft.Network/firewallPolicies

"properties": { "threatIntelMode": "Alert", "dnsSettings": { "servers": [] }, "transportSecurity": { "certificateAuthority": { "name": "cacert" } } }

In the Azure portal if you go to the Azure Firewall policy and under Setting > DNS the equivalent configuration.

A final network rule will allow the WVD host pool communicate with NTP servers using the FQDN as a destination.

{ "ruleType": "NetworkRule", "name": "AllowWindowsNTP", "ipProtocols": [ "UDP" ], "sourceAddresses": [ "*" ], "destinationAddresses": [], "sourceIpGroups": [], "destinationIpGroups": [], "destinationFqdns": [ "time.windows.com" ], "destinationPorts": [ "123" ] }

The rules above are reflected in the Azure Portal within the Firewall Policy under Network Rules

All of the rule collections and application and network rules discussed here can also be found on Azure Network Security GitHub repo as a deployable Azure Fw Policy. There will be continuing improvement on the WVD Azure Firewall Policy sample to include the Active Directory, Azure NetApp, and Office 365 Allow Rules. For now the deployable sample will include the items discussed in the Azure documentation.

In this post you learned how to use the new features of Azure Firewall premium with Windows Virtual Desktop. Features like IDPS and Web Categories which enhance your security posture for Windows Virtual Desktop. You also learned some examples of Application and Network rules for Windows Virtual Desktop.

Be sure to check out other examples at Azure Network Security GitHub and if interested please upload your Azure Firewall Sample patterns here as well via a pull request.

Special thanks to:

@Nyler Gaskins for GitHub assets and testing and reviewing this post

Kapila for testing and reviewing the post

for how to find the WVD data plane communication technique

Azure Logic Apps - Authenticate with managed identity for Azure AD OAuth-based connectors

nidhipathak — Wed, 24 Feb 2021 19:50:03 GMT

When you enable and use a managed identity (formerly Managed Service Identity or MSI) for authentication, your logic apps can more easily access Azure resources that are protected by Azure Active Directory (Azure AD). A managed identity removes the need for you to manage credentials or Azure AD tokens by providing Azure services with an identity that is managed by Azure AD.

Azure Logic Apps currently supports both system-assigned and single user-assigned managed identities for specific built-in triggers and actions such as HTTP, Azure Functions, Azure API Management, Azure App Services, and so on. This blog post announces preview support for using your logic app's managed identity to authenticate to Azure AD OAuth-based managed connector triggers and actions.

Below is the list of connectors supporting managed identity authentication in preview with more support coming for other connectors in the future:

Connector	Connector API name
Azure Container Instance	aci
Azure Resource Manager	arm
Azure Automation	azureautomation
Azure Data Factory	azuredatafactory
Azure Data Lake	azuredatalake
Azure Log Analytics	azureloganalytics
Azure Key Vault	keyvault
Azure Event Grid	azureeventgrid
Azure Sentinel	azuresentinel
Azure Data Explorer (Preview)	kusto
Azure AD Identity Protection (Preview)	azureadip
Azure IoT Central V3 (Preview)	azureiotcentral
HTTP with Azure AD	webcontents

Prerequisites

An Azure account and subscription. If you do not have a subscription, sign up for a free Azure account. Both the managed identity and the target Azure resource where you need access must use the same Azure subscription.
To give managed identity access to an Azure resource, you need to add a role to the target resource for that identity. To add roles, you need Azure AD administrator permissions that can assign roles to identities in the corresponding Azure AD tenant.

Configure managed identity authentication on supported connectors

In the Azure portal, you can either use an existing logic app that has enabled the user-assigned or system-assigned managed identity, or you can create a new logic app and then enable the system-assigned or user-assigned managed identity on your app. The example in this blog post uses a logic app's system-assigned managed identity. You can set up your logic app with either the system-assigned identity or a single user-assigned identity, but not both. A group of logic apps can share a user-assigned identity because they're not bound to a single Azure resource, while the system-assigned identity strictly belongs to a single Azure resource and can't be shared.
On the target Azure resource where you want the managed identity to have access, give that identity role-based access to the target resource. This role lets your logic app authenticate access to the target resource at runtime by using the managed identity’s Azure AD tokens.
In the Azure portal, open your logic app in the Logic App Designer. Add a trigger or action from a connector that supports managed identity authentication and then select an operation.

The above example in this post sets up the Azure Resource Manager action, named Read a resource, to use the logic app's system-assigned managed identity for authentication and read the specified Azure resource.
Create a new connection by selecting Connect with managed identity (preview).

The action now shows the managed identity drop-down list, which includes the managed identity type that's currently enabled on the logic app.

If the managed identity isn't enabled, the following error appears when you try to create the connection.

After successfully creating the connection, the designer can fetch any dynamic values, content, or schema by using managed identity authentication.
Provide the required input for the action that you selected. The connection name appears at the bottom of the action shape.
Add any other actions that your logic app requires to run. When you're done, save the workflow.
To test your logic app, on the designer toolbar, select Run.

How does a connection with a managed identity work at runtime?

Connections that you created to use a managed identity are a special connection type that you can use only with a managed identity.

At runtime, the connection uses the managed identity that’s enabled on the logic app. This configuration is saved in the logic app definition’s parameters object, which contains the $connections property object that includes pointers to the connection’s resource ID, the api’s resource ID and connectionProperties. The authentication property in connectionProperties contains user-assigned identity’s resource id if a user-assigned identity is associated with the logic app. No additional input is required in authentication property object other than type, if a system-assigned identity is associated with the logic app.

During runtime, the Logic Apps service checks whether any managed connector trigger and actions in the logic app are configured to use the managed identity and that all the required permissions are set up to use the managed identity for accessing the target resources that are specified by the trigger and actions. If successful, the Logic Apps service retrieves the Azure AD token that’s associated with the managed identity and uses that token to authenticate to the target resource and perform the configured operation in trigger and actions.

Next steps

We’d like your feedback! Please try the managed identity support managed connections that support Azure AD OAuth and let us know what you think. Stay tuned for managed identity support in more connectors such as SQL Server, Office, Power platform, and other Azure connectors.

Microsoft Azure Attestation is now generally available

Sindhuri_Dittakavi — Wed, 24 Feb 2021 19:41:14 GMT

The rapid adoption of Azure globally has resulted in a need to provide strong security assurances to customers on the state of their workloads and Azure’s ability to protect their data. Azure confidential computing offers a state-of-the-art hardware, software & services platform to protect sensitive customer data in-use while minimizing the Trusted Computing Base (TCB). Microsoft Azure Attestation reinforces the security promises made by cutting-edge security paradigms such as confidential computing.

Azure Attestation offers a simple PaaS experience to enable customers solve the complicated problem of gaining trust and verifying the identity of an environment before they interact with it. The ability to gain this trust allows customers to develop applications and create business models that require uncompromising trust where they were previously unable to create them -- in the cloud.

What is Azure Attestation?

Azure Attestation is a unified solution that supports attestation of platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as Intel® Software Guard Extensions (SGX) enclaves and Virtualization-based Security (VBS) enclaves.

Azure Attestation receives evidence from an environment, validates it with Azure security standards and configurable user-defined policies, and produces cryptographic proofs (termed as attestation tokens) for claims-based applications. These tokens enable relying parties to gain confidence in trustworthiness of the environment, integrity of the software binaries running inside it and make trust-based decisions to release sensitive data to it. The tokens generated by Azure Attestation can be consumed by services in scenarios such as enclave validation, secure key sharing, confidential multi-party computation etc.

Why use Azure Attestation?

Azure Attestation provides the following benefits:

Offers a unified solution for attesting multiple TEEs or platforms backed by TPMs
Provides regional shared attestation providers to simplify the attestation process without the need for additional configuration
Allows creation of custom attestation providers and configuration of policies to customize attestation token generation
Provides ability to securely communicate with the attested platform with the help of data embedded in an attestation token using industry-standard formatting
Highly available service with Business Continuity and Disaster Recovery (BCDR) configured across regional pairs

How does Azure Attestation work?

An attestation provider is a service endpoint of Azure Attestation that provides REST contract. You can choose to use the regional shared providers or create your own custom provider. Attestation provider comes with a default policy for each supported attestation type. Azure Attestation also lets you enforce custom rules in your custom provider via a configurable policy. If configured, an attestation policy is used to process the attestation evidence and determines whether the service shall issue an attestation token.

The following actors are involved in an Azure Attestation workflow:

Client: The component which collects evidence from an environment and sends attestation requests to Azure Attestation.

Azure Attestation: The component which accepts evidence from the client, validates it with Azure security standards, evaluated it against the configured policy and returns attestation token to the client.

Relying party: The component which relies on Azure Attestation for remotely attesting the state of an environment supported by TPM/enclave.

Consider a multi-party data sharing use-case where organizations (relying party) want to share data with its partners and achieve great insights by running inference models on the aggregated information. To protect data confidentiality while leveraging mutual benefits, data in-use can be encrypted and stored in TEEs like SGX enclaves. However before giving access to the encrypted content, organizations would like to validate trust worthiness of the enclave and then securely transfer secrets to the enclave. Azure Attestation enables in the remote verification process.

Below is the workflow example for confidential computing scenario based on Azure Attestation:

The user creates an provider using PowerShell/Portal/CLI
(Note: Regional shared attestation providers can be used to perform attestation when there is no requirement for custom policies)
Attest URI is returned to the user
Attest URI is shared with the TEE client as a reference to Azure Attestation
The client collects enclave evidence and sends attestation request to Azure Attestation
The service validates the submitted information and evaluates it against a configured policy. If the verification succeeds, it issues an attestation token and returns it to the client
The client sends the attestation token back to the relying party
The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates of the attestation token. The relying party then verifies the signature of the attestation token and refers the claims inside it
The public key generated within an enclave is embedded in the attestation token. Relying party can use this key from the verified response to encrypt the secrets and share with the enclave

Getting started with Azure Attestation

To create an attestation provider via the Azure portal, select Azure Attestation in the Azure portal Marketplace menu and click Create

Provide a name, location, subscription and resource group and proceed with the creation of your attestation provider. (Upload policy signer certificates file to configure the attestation provider with signed policies. Learn more)

Once created, details of the provider can be seen on the Overview page.

To view the default policy of your attestation provider, select Policy in the left-hand side Resource Menu. You see a prompt to select certificate for authentication. Please choose the appropriate option to proceed.

To configure a custom policy to meet your requirements, click configure. Provide policy information in text/JSON Web Token format and click Save.

Click the Refresh button to view the updated policy

Creation and management of attestation providers can also be performed using Command Line Interface (CLI) or Azure PowerShell.

Customer success stories

We are excited to multiple scenarios benefiting from Azure Attestation. Some of them include:

SQL Always Encrypted with secure enclaves

“Microsoft Azure Attestation is a key component of a solution for confidential computing provided by Always Encrypted with secure enclaves in Azure SQL Database. Azure Attestation allows database users and applications to attest secure enclaves inside Azure SQL Database are trustworthy and therefore can be confidently used to process queries on sensitive data stored in customer databases.”

- Joachim Hammer, Principal Group PM Manager, Azure SQL

ISV partners

Microsoft also works with platform partners who specialize in creating scalable software running on top of Azure confidential computing environments. The partners like Fortanix, Anjuna, and Scone have expressed great interest in leveraging the services offered by Azure Attestation.

Future roadmap for Azure Attestation

Our long-term aspiration is partnering with people and organizations around the planet to help them achieve more, and more securely with Microsoft Azure Attestation. Azure Attestation will be the one Microsoft service that attests multiple platforms used by Azure customers such as Confidential Containers, Confidential VMs, IOT edge devices and more. We expect Azure Attestation to be the leading cloud service for customers to establish unconditional trust in infrastructure and runtime across Azure, on-prem and edge. It will drive the adoption of Microsoft services while strengthening customer data governance.

Learn more about Azure Attestation.

WinObj v3.0 and Coreinfo v3.52

lukekim — Wed, 24 Feb 2021 19:33:05 GMT

WinObj v3.0

This major update to WinObj adds dynamic updates, quick search, full search, properties for more object types, as well as performance improvements. It's also the first Sysinternals tool to feature a dark theme.

Coreinfo v3.52

This update to Coreinfo adds reporting for CET (shadow stack) support.

10 Reasons to love Passwordless #1: FIDO Rocks

Pamela Dingle — Mon, 01 Mar 2021 15:57:24 GMT

Over the next few weeks, the Microsoft Identity team will share 10 reasons to love passwordless and why you should consider changing how you (and your users) login every day. Kicking off the series is Pamela Dingle.

I love passwordless authentication because of the amazing flexibility and choice that come with strong authentication standards like Fast IDentity Online – also known as FIDO. Before sharing how FIDO has helped make my life easier, let’s talk a little about passwordless.

Passwordless authentication means living a daily digital life where you never type a password. Instead, you use more secure ways to authenticate such as a fingerprint reader built into your Windows laptop, face unlock on your Android device, or a push notification you respond to on your iPhone. The best part is you can set up just one or all of these passwordless identity mechanisms. That means there is a passwordless option no matter where you are or what you are doing. For me, this has huge benefits: 1) Less typing, 2) Less remembering of stupid passwords that make me angry, 3) Less retyping of the passwords because I got them wrong the first time, and 4) Wow is it more secure.

Back to my favorite part about passwordless authentication at Microsoft – the fact that we offer open standards-based options via the FIDO family of protocols. FIDO lets a website request a secure credential in a vendor-agnostic way. This means no lock-in! In the past, in order for a website to support secure login mechanisms like fingerprint or facial recognition, the website developer would need to write proprietary code, possibly for many types of computer hardware,operating systems, or smartphone implementations – it was just a mess. If you used a product that wasn’t on the supported list, you were out of luck. Now, the website can just use a protocol called W3C Web Authentication to ask for a FIDO credential. This eliminates a ton of proprietary code, so it is less expensive to maintain for the website, and it is more likely to work in the real world. When you couple the breadth of FIDO-compliant solutions in the ecosystem with our other passwordless options, like our authenticator app, there are a lot of flexible options.

FIDO support for passwordless authentication has made my life easier by reducing vendor lock-in. When working on my Lenovo laptop, I use the built-in fingerprint reader to login without typing. Since I’m now home all the time, I prefer to use my Apple Mac mini for work. Normally, switching to a different hardware manufacturer would be a big barrier, plus the Mac mini does not have a fingerprint reader! Luckily, I have a roaming authenticator (called a security key) registered with Azure Active Directory (along with my laptop fingerprint). With that security key plugged into my USB port, I can login passwordlessly on ANY computer that I want. I can move my security key from my Mac mini to a laptop and never type anything.

When I travel, my laptop’s built-in authenticator is the most convenient authentication option.. At home, I prefer the plugged-in security key. A bunch of awesome FIDO2 vendors offer different form factors. I can pick the vendor and form factor that works best for me. FIDO2 earrings, anyone? This set of authenticators works really well for me but what is best for you and each of your users could be different! Really, that is the crux of why we enable so many options with FIDO2, Windows Hello, and the Authenticator - we want you to go passwordless your way.

Upcoming passwordless posts

There is so much more to learn about why passwordless authentication is the future, and about how you can find a passwordless factor (or two) to make your world better. My Microsoft identity colleagues are all going to try to outdo this reason with their own takes on why passwordless is so awesome – stay tuned for the next two segments in this series:

Alex Weinert on why biometrics and passwordless are a dream combination
Sue Bohn on how passwordless makes your logins 3x faster

Learn more about Microsoft identity:

Return to the Azure Active Directory Identity blog home
Join the conversation on Twitter and LinkedIn
Share product suggestions on the Azure Feedback Forum

Check out the other posts in this series:

What's New in Passwordless Standards, 2021 edition!
10 Reasons to Love Passwordless #1: FIDO Rocks
10 Reasons to Love Passwordless #2: NIST Compliance
10 Reasons to Love Passwordless #3: Why biometrics and passwordless are a dream combination
10 Reasons to Love Passwordless #4: Secure your digital estate, while securing your bottom line
10 Reasons to Love Passwordless #5: The Ease of Use and Portability of Security Keys
10 Reasons to Love Passwordless #6: The Passwordless Funnel

Add reports as favorites in Configuration Manager Technical Preview 2102

Yvette O'Meally — Wed, 24 Feb 2021 18:12:00 GMT

Update 2102 for the Technical Preview Branch of Microsoft Endpoint Configuration Manager has been released. Configuration Manager ships with several hundred reports by default, and you may have added more to that list. Instead of continually searching for reports you commonly use, based on your UserVoice feedback, you can now make a report a favorite. This action allows you to quickly access it from the new Favorites node.

Favorite reports node

This preview release also includes:

Improvements to the collection relationships viewer - Starting in current branch version 2010, you can view dependency relationships between collections in a graphical format. The relationships for a collection were presented as two hierarchical trees, one for dependents and the other for dependencies. In this release, you can view both dependency and dependent relationships together in a single graph. This change allows you to quickly see an overview of all the relationships of a collection at once and then drill down into specific related collections. It also includes other filtering and navigation improvements.

Download Power BI report templates from Community hub - Community hub now supports contributing and downloading Power BI report template files. This integration allows administrators to easily share and reuse Power BI reports. Contributing and downloading Power BI report template is also available for current branch versions of Configuration Manager.

Improvements to BitLocker support via cloud management gateway - In current branch version 2010, you can manage BitLocker policies and escrow recovery keys over a cloud management gateway (CMG). This support included a couple of limitations. Starting in this technical preview release, BitLocker management policies over a CMG support the following capabilities:

Recovery keys for removable drives
TPM password hash, otherwise known as TPM owner authorization

Improvements to query preview - You now have more options when using the collection query preview. The following improvements have been made to previewing collection queries:

Limit the number of rows returned.
Omit duplicate rows from the result set.
Review statistics for the query preview such as number of rows returned and elapsed time.

Improvements to collection evaluation view - The following improvements were made to the collection evaluation view:

The central administration site (CAS) now displays a summary of collection evaluation status for all the primary sites in the hierarchy
Drill through from collection evaluation status queue to a collection
Copy text to the clipboard from the collection evaluation page
Configure the refresh interval for the collection evaluation statistics page

TLS certificate pinning for devices scanning HTTPS-configured WSUS servers - Further increase the security of HTTPS scans against WSUS by enforcing certificate pinning. To enable this behavior, add certificates for your WSUS servers to the new WindowsServerUpdateServices certificate store on your clients and enable certificate pinning through Client Settings. This setting ensures that your clients will only be able to communicate with WSUS when certificate pinning is successful.

Change foreground color for Software Center branding - Software Center already provides various controls for you to customize the branding to support your organization's brand. For some customers, their brand color doesn't work well with the default white font color for a selected item. To better support these customers and improve accessibility, you can now configure a custom color for the foreground font.

Changes for CMPivot - We've temporarily disabled the Simplified CMPivot permissions requirements that were introduced in technical preview version 2101. If you removed the Read permission on SMS Scripts and the default scope permission, re-add the permissions.

Improvements to client setting for Software Center custom tabs - Technical preview version 2101 included a new client setting for displaying Software Center custom tabs. There are general improvements to this feature in this technical preview release.

Change default maximum run time for software updates – Configuration Manager sets the following maximum run time for these categories of software updates:

Feature updates for Windows: 120 minutes
Non-feature updates for Windows: 60 minutes
Updates for Microsoft 365 Apps (Office 365 updates): 60 minutes

All other software updates outside these categories, such as third-party updates, were given a maximum run time of 10 minutes. Starting in this technical preview, the default maximum run time for these updates is 60 minutes rather than 10 minutes.

PowerShell release notes preview - These release notes summarize changes to the Configuration Manager PowerShell cmdlets in technical preview version 2102.

Update 2102 for Technical Preview Branch is available in the Microsoft Endpoint Configuration Manager Technical Preview console. For new installations, the 2010 baseline version of Microsoft Endpoint Configuration Manager Technical Preview Branch is available on the Microsoft Evaluation Center. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available.

We would love to hear your thoughts about the latest Technical Preview! Send us Feedback about product issues directly from the console and use our UserVoice page for ideas about new features.

Thanks,

The Configuration Manager team

Configuration Manager Resources:

Documentation for Configuration Manager Technical Previews

Try the Configuration Manager Technical Preview Branch

Documentation for Configuration Manager

Microsoft Endpoint Manager announcement

Microsoft Endpoint Manager vision statement

Configuration Manager Forums

Configuration Manager Support

Manage and deploy Microsoft 365 Apps from partners in the Microsoft 365 admin center

snigdhav — Wed, 24 Feb 2021 17:10:46 GMT

Since we introduced Microsoft 365 Apps at Microsoft Ignite 2019, we’ve made investments to further enhance the deployment and management experience for Microsoft 365 Apps from the Microsoft 365 admin center. We introduced the unified deployment experience to SMB customers in March 2020, and now we’re bringing it to enterprise customers as well. The new experience is rolling out in phases and will be available to all customers by February 2021. The experience started with web apps, Teams apps, and Office Add-ins that integrate with Microsoft Graph, then expanded to include SharePoint apps built on the SharePoint Framework.

When this feature is rolled out to your tenant, you will see Integrated apps on the left nav under the Settings section in the Microsoft 365 admin center.

Discover Microsoft 365 Apps

To discover Microsoft 365 Apps, sign-in to the Microsoft 365 admin center, and under Settings, go to Integrated apps. All Microsoft 365 Apps provided by partners that have been deployed in your organization are displayed, including information about existing solutions, and the option to deploy more apps.

You can search for more apps via the Settings -> Integrated apps -> Get apps option. This opens Microsoft AppSource in a popup window. You can then search by the publisher or app name.

Acquire/purchase Microsoft 365 Apps

After searching Microsoft AppSource, you can either acquire or purchase more apps. If your organization already has a license for the app, you can acquire it by choosing Deploy now. Otherwise, you can buy a license directly.

When you choose Buy it, you go to a Purchase page where you can enter payment information.

Deploy Microsoft 365 Apps to multiple workloads

After selecting the app, you are redirected to the Integrated apps page, where you can:

Deploy Microsoft 365 Apps or choose which app to deploy.
Deploy to the entire organization or choose specific users or groups to deploy to.
Test the app by deploying it to your own tenant.

We recommend that you deploy Microsoft 365 Apps from partners, including both web apps and add-ins, to maximize the value to your organization.

Manage Microsoft 365 Apps

When new add-ins are made available for Microsoft 365 Apps that can be deployed, you will see More apps available in the UI and you can choose to deploy the new add-in.

For details about deploying and managing Microsoft 365 Apps, see Test and deploy Microsoft 365 Apps in the Microsoft 365 admin center.

Going forward

We are continuously building capabilities that will meet the needs of specialist and global admins for enterprise customers. We are also making ongoing improvements to help you complete tasks faster and more easily, so that you can bring greater value to your organization and business stakeholders.

Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected!

Microsoft Defender for Identity Ninja Training

BrandonLawson — Wed, 24 Feb 2021 17:00:00 GMT

Microsoft Defender for Identity Ninja Training

Welcome to the Microsoft Defender for Identity Ninja Training!

Microsoft Defender for Identity (renamed from Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. This Ninja blog covers the features, detentions, and functions of Microsoft Defender for Identity.

Short Link: aka.ms/MDINinja

In terms of overall structuring, the training sessions are split into three different knowledge levels:

Module	Description
Level 1: Beginner (Fundamentals)	Introduction to Microsoft Defender for Identity, and planning your Deployment.
Level 2: Intermediate (Associate)	Identity Security Posture Assessments, Investigate Lateral Movement Paths, Indicators of compromise
Level 3: Advanced (Expert)	Advanced Hunting with Microsoft 365 Defender

Legend/Acronyms
(D)	Microsoft Documentation
(V)	Video
(G)	Interactive Guide
(B)	Blog
MCAS	Microsoft Cloud App Security
RBAC	Role-based access control
MDI	Microsoft Defender for Identity
AATP	Azure Advanced Threat Protection
ATP	Advanced Threat Protection
AIP	Azure Information Protection
ASC	Azure Security Center
AAD	Azure Active Directory
CASB	Cloud Access Security Broker
MTP	Microsoft Threat Protection
GCC	Government Community Cloud
GCC-H	Government Community Cloud High

Note: Threat protection product names from Microsoft are changing. Read more about this and other updates here. We'll be updating names in products and in the docs soon.

Microsoft 365 Defender (previously Microsoft Threat Protection)
Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection)
Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection)
Microsoft Defender for Identity (previously Azure Advanced Threat Protection)

Fundamentals:

In this module you will familiarize yourself with Microsoft Defender for Identity and its detection capabilities. You will also learn about Microsoft Defender for Identity architecture, deployment options, licensing and the Microsoft Defender for Identity community.

What is Microsoft Defender for Identity? (V)
Understanding Microsoft Defender for Identity Licensing and Privacy (D)
Microsoft 365 Defender enriches the Microsoft Defender for Identity experience (B)
Defender for Identity Community (D)
- This is a Microsoft Defender for Identity Tech Community space that provides an opportunity to connect and discuss the latest news, updates, and best practices with Microsoft professionals and peers.
Defender for Identity Security Lab and Playbooks (D)

The purpose of the Microsoft Defender for Identity Security Alert lab tutorial is to illustrate Defender for Identity's capabilities in identifying and detecting suspicious activities and potential attacks against your network.

Planning your Microsoft Defender for Identity Deployment

Microsoft Defender for Identity Architecture (D)
Microsoft Defender for Identity Prerequisites (D)
Microsoft Defender for identity FAQs (D)

Deploying Microsoft Defender for Identity Deployment

Microsoft Defender for Identity Installation Overview (V)
Create your Azure ATP instance (D)
Connect to Active Directory (D)
Configuring the Microsoft Defender for Identity Sensor (D)
Excluding entities from detection's (D)
Working with sensitive accounts (D)

Intermediate:

In this module you will familiarize yourself with Microsoft Defender for Identity Security Posture Assessments, identifying indicators of compromise, suspicious activities and attacks, and lateral movement paths.

Identity Security Posture Assessments

Identify Suspicious Activities and Advanced Attacks

Microsoft Defender for Identity Detection's – Part 1 (V)
Microsoft Defender for Identity Detection's – Part 2 (V)
Reconnaissance Alerts (D)
Compromised Credential Alerts (D)
Lateral Movement Alerts (D)
Domain Dominance Alerts (D)
Exfiltration Alerts (D)

Investigate Lateral Movement Paths
In this module we will learn what Lateral Movement Paths are, and how to investigate.

What is a Lateral Movement Path? (D)
Tutorial: Use Lateral Movement Paths (LMPs) (D)

Indicators of Compromise

In this module we will investigate users, computers, and entities. This module includes gathering information around users, computers, and entities. Investigating activities and resources that may have been accessed.

Incident investigation with Microsoft Defender for identity (V)
Tutorial: Investigate a user (D)
Tutorial: Investigate a computer (D)
Tutorial: Investigate an entity (D)

Interactive Guides

Detect suspicious activity w/Defender for Identity (G)
- In this interactive guide, you'll learn how to detect suspicious activities and potential attacks on your network with Microsoft Defender for Identity. You'll see how Defender for Identity can help you identify reconnaissance attacks, investigate attacker behavior inside your network, and provide recommendations on reducing domain vulnerabilities.
Attack Response: Microsoft Defender for Identity (G)
- In this interactive guide, you’ll learn how to investigate and respond to attacks with Microsoft Defender for Identity. You’ll see how Microsoft Defender for Identity can help you examine suspicious activities, trace lateral movement, and prevent future breaches.

Advanced:

In this module you will familiarize yourself with Microsoft Defender for Identity Advanced Hunting within the Microsoft 365 Defender portal.

Advanced Hunting with Microsoft 365 Defender
In this module you will create advanced KQL threat-hunting queries. This module includes Microsoft Defender for Identity advanced KQL threat-hunting queries, and the creation of custom detection rules.

Microsoft Defender for Identity advanced KQL threat-hunting queries

Guide to Microsoft 365 Apps deployment and servicing at Microsoft Ignite

Meenah_Khosraw — Fri, 26 Feb 2021 18:45:19 GMT

In May 2020, we discussed how to modernize servicing by introducing a new Monthly Enterprise Channel, and in September, we introduced new cloud-based admin capabilities to help IT admins service Microsoft 365 Apps for their organizations.

This time at Ignite, we’re bringing you more! Learn what’s new and ask our Microsoft 365 Apps deployment experts any questions you have during one of our Office Hours Q&A sessions, or head over to the Microsoft 365 Apps discussion space and post your question there. Be sure to also check out the on-demand sessions, blogs, and Microsoft Docs articles below to learn more.

Office Hours
Q&A with Office experts on deploying and managing Microsoft 365 Apps for enterprise To support your efforts deploying and managing Microsoft 365 Apps, our team of experts will be hosting a Q&A series for IT professionals. We’ll discuss the new cloud-based management features available in the Microsoft 365 Apps admin center, such as inventory, apps health, security update status, and servicing profiles.	Wed. March 3 9:00 AM CET	Wed. March 3 9:00 AM PT	Wed. March 10 9:00 AM CET	Wed. March 10 9:00 AM PT

Office Hours

Q&A with Office experts on deploying and managing Microsoft 365 Apps for enterprise

To support your efforts deploying and managing Microsoft 365 Apps, our team of experts will be hosting a Q&A series for IT professionals. We’ll discuss the new cloud-based management features available in the Microsoft 365 Apps admin center, such as inventory, apps health, security update status, and servicing profiles.

Wed. March 3
9:00 AM CET

Wed. March 3
9:00 AM PT

Wed. March 10
9:00 AM CET

Wed. March 10
9:00 AM PT

On-demand sessions
Featured session: Manage Office apps deployments with tools & services Speakers: Amesh Mansukhani & Javier Carrillo Managing Office apps updates can be challenging. End-users demand shorter downtime, network admins want lower bandwidth consumption, and operations teams need dependable insights on deployments. Satisfying these requirements was a distant dream, until today. In this session, learn how new cloud services provide improved insights into your inventory and app health, along with tools for automated deployments and control to increase your workload efficiency and lower overall management TCO.
Insights and controls of Microsoft 365 Apps for admins (link to session coming soon) Speakers: Rebecca Keys & Reshma Kapoor With the increasing speed and complexity of moving to the cloud, IT admins are in a fast-paced, ever-changing environment. We want to put our admins in the driver's seat. In this session, you'll learn about actionable insights and effective controls we're developing in the Microsoft 365 admin center to make it easier for admins to manage monthly Office updates and leverage the user feedback signal on Microsoft 365 products to improve the health of their organization.
How to onboard devices to the Microsoft 365 Apps admin center (link to session coming soon) Speakers: Bob Clements & Martin Nothnagel In this session, learn how to manage the life cycle of your Office applications. We will walk you through the Office installation, onboarding devices to the Microsoft 365 Apps admin center, registering with Inventory, and how to utilize Servicing Profiles.

On-demand sessions

Featured session:
Manage Office apps deployments with tools & services
Speakers: Amesh Mansukhani & Javier Carrillo

Managing Office apps updates can be challenging. End-users demand shorter downtime, network admins want lower bandwidth consumption, and operations teams need dependable insights on deployments. Satisfying these requirements was a distant dream, until today. In this session, learn how new cloud services provide improved insights into your inventory and app health, along with tools for automated deployments and control to increase your workload efficiency and lower overall management TCO.

Insights and controls of Microsoft 365 Apps for admins (link to session coming soon)
Speakers: Rebecca Keys & Reshma Kapoor

With the increasing speed and complexity of moving to the cloud, IT admins are in a fast-paced, ever-changing environment. We want to put our admins in the driver's seat. In this session, you'll learn about actionable insights and effective controls we're developing in the Microsoft 365 admin center to make it easier for admins to manage monthly Office updates and leverage the user feedback signal on Microsoft 365 products to improve the health of their organization.

How to onboard devices to the Microsoft 365 Apps admin center (link to session coming soon)
Speakers: Bob Clements & Martin Nothnagel

In this session, learn how to manage the life cycle of your Office applications. We will walk you through the Office installation, onboarding devices to the Microsoft 365 Apps admin center, registering with Inventory, and how to utilize Servicing Profiles.

Additional resources

Microsoft 365 Apps health - Deploy Office | Microsoft Docs

Inventory - Deploy Office | Microsoft Docs

Security Currency - Deploy Office | Microsoft Docs

To keep up with the latest news, live events and on-demand sessions during Microsoft Ignite, be sure to subscribe to the Microsoft 365 Tech Community blog! Or if you have a question, head over to the Microsoft 365 Tech Community discussion space and start a conversation.

Announcing Microsoft 365 Multi-Geo coverage in Brazil

John_Mighell — Wed, 24 Feb 2021 17:00:00 GMT

We are excited to announce the availability of Microsoft 365 Multi-Geo in Brazil! With the addition of Brazil, you can now utilize Multi-Geo to extend your Microsoft 365 tenant to store users’ Exchange Online, OneDrive for Business, and SharePoint data in one or more of our 16 available geographies:

Asia Pacific	European Union	Japan	Switzerland
Australia	France	Korea	United Arab Emirates
Brazil	Germany	Norway	United Kingdom
Canada	India	South Africa	United States

This is the latest announcement as part of the Microsoft More for Brazil plan that supports inclusive growth through technology, sustainability and skilling programs, including the expansion of Microsoft’s cloud infrastructure in Brazil.

Microsoft 365 Multi-Geo enables customers to reduce their on-premises footprint and meet data residency obligations by allocating user data at rest to our available geo locations in the Microsoft 365 cloud, all within a single tenant. For more details, check out this Microsoft Docs article Microsoft 365 Multi-Geo.

For in-depth information on the overall Microsoft 365 data center strategy and Multi-Geo, check out this video from Ignite 2020:

Pricing and Licensing

Multi-Geo is available as an add-on to the following Microsoft 365 subscription plans for EA customers with a minimum of 250 seats in their Microsoft 365 tenant, and a minimum of 5% of the Microsoft 365 seats within a tenant having corresponding Multi-Geo Capabilities for Microsoft 365. Please contact your Microsoft account team for details.

Microsoft 365 F1, F3, E3, or E5

Office 365 F3, E1, E3, or E5

Exchange Online Plan 1 or Plan 2

OneDrive for Business Plan 1 or Plan 2

SharePoint Online Plan 1 or Plan 2

Licensing

Resource mailboxes (Rooms/Equipment) and Shared mailboxes need to be licensed for Multi-Geo
Microsoft 365 Group Mailboxes that have moved to Satellite Geos will not need to be licensed for Multi-Geo

How can I get Multi-Geo?

Reach out to your Microsoft representative to purchase Multi-Geo Capabilities for Microsoft 365.

Questions?

If you have any questions, include them in a comment on this thread and we'll be happy to answer them!

New Resource Reporting

bwatts670 — Wed, 24 Feb 2021 17:00:00 GMT

Intro

One of the common ask I get from customers is to alert on new resources when they are created. I typically hesitate to alert every time a single resource is created because I think the better approach is to generate a report of new resource on a schedule. So, for this blog I want to walk you through utilizing Azure Logic Apps along with Azure Log Analytics to generate a useful report that you can schedule.

Sneek Peak

Before we jump into implementation let’s look at what the Logic Apps looks like.

As you can see this is a simple Logic App. We only have 3 steps in this process:

Schedule: simple scheduler to kick off the workflow
Query for New Resources: Query Log Analytics Workspace using the KQL language to find new resources.
Email HTML Report: Send the results of the KQL query via email as a HTML attachment.

Below is an example of the HTML Report:

Prerequisites

If you’re interested in implementing this Logic App you need to be aware of a few requirements:

1. You need to send you’re Azure Activity Logs to a Log Analytics Workspace in order for the Log Analytics query to come back with any results.

Azure Activity log - Azure Monitor | Microsoft Docs

2. For the example below I use the connector to Office365. So you either need an Office365 account or you need to use a different action for the email.

Implementing

Hopefully, everyone is still interested and wants to look at this in your environment. Well let’s walk through importing the Logic App!

Step 1: Create a Logic App

You can follow the below document to create a Logic App if you’ve never created one before:

Quickstart - Create your first Logic Apps workflow - Azure portal - Azure Logic Apps | Microsoft Docs

You can name you’re Logic App whatever you like. I chose to name mine “NewResourcesReport”

Step 2: Customize the Logic App

When you create the Logic App it will bring you to the Template page. You can choose “Recurrence” to get started with the Logic App.

I typically like to rename my steps before I do anything. So whenever I mention renaming a step you simply click on the “…” for the step and choose rename:

Complete the following for the “Recurrence” step:

Rename to “Schedule”

Set to whatever interval you wish. I’m choosing to run mine once a week.

Click on “+ New Step”, search for “Azure Monitor”, and choose “Azure Monitor Logs”

This will bring up the actions available for “Azure Monitor Logs” and we will use the “Run query and visualize results”

Rename the action to “Query for New Resources”

Enter the following values to connect to the Log Analytics Workspace where your “Azure Activity Logs” are being sent.

Subscription: Azure Subscription where the Log Analytics Workspace is located

Resource Group: Azure Resource Group where the Log Analytics Workspace is located
Resource Type: Log Analytics Workspace
Resource Name: Log Analytics Workspace where the Azure Activity Logs are being sent
Query:

let ResourceCreation=AzureActivity | where OperationNameValue =~ 'MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE'; ResourceCreation | summarize arg_max(TimeGenerated, *) by CorrelationId | where ActivityStatusValue =~ 'Success' | project CorrelationId | join kind=inner (ResourceCreation | summarize arg_min(TimeGenerated, *) by CorrelationId) on CorrelationId | project TimeGenerated, Caller, CallerIpAddress, ResourceGroup, ResourceId

Time Range: Should match with you Schedule Activity. For example, my schedule is for once a week so I chose “Last 7 days”

Chart Type: Html Table

Click on “+ New Step” below this activity, search for “send an email (v2)”, and choose the Office 365 Outlook action named “Send an email (V2)”

Rename the Action to “Email HTML Report” and fill out the following:

Body: Whatever you wish for the Body of the email
Subject: Whatever you wish for the Subject of the email
To: Fill out the emails you wish to receive the report
Click on “Add new parameter” and choose “Attachment”

Attachment Content: from the “Dynamic content” choose “Attachment Content” under “Query for New Resources”
Attachment Name: Something like “Resources.html”

That’s it for the Logic App. You should now click on “Save” and once the Logic App is saved click on “Run”

Summary

With the help of Azure Log Analytics and the Kusto query language we are able to create a simple 3 step Logic App that will generate a HTML report that is emailed out on a recurring basis. This is a great example of how Azure Logic Apps can be a great tool to utilize as an Azure Administrator.

Guide to Microsoft Ignite – Employee Experience Edition

Seth Patton — Fri, 26 Feb 2021 21:35:07 GMT

By Seth Patton, General Manager, Microsoft 365 Next Gen Productivity & Employee Experience

We’re a week away from Microsoft Ignite! If you have not registered yet, secure your spot today and browse the session catalog to build your personalized schedule. Here’s a quick rundown of sessions to get you started if you’re looking to learn more about Microsoft Viva, the first employee experience platform (EXP) built for the digital era.

Keynote

The hybrid workplace by Jared Spataro
We think of 2020 as the year many of us worked from home. In fact, it’s the year that work moved to the cloud. Flexible work is here to stay. Join Jared Spataro to learn how we’re empowering people to work from home, on the go, and at the office.

Tuesday, March 2 | 9:45 – 10:15 AM PST

Tuesday, March 2 | 7:15 PM – 7:45 PM PST

Featured Session

Meet Microsoft Viva: a new kind of employee experience by Chuck Friedman
The first employee experience platform built for the digital era, Microsoft Viva brings together communications, knowledge, learning, resources, and insights into an integrated experience that empowers people and teams to be their best, from anywhere. Join us as we introduce a new approach and a new category of technology solutions. Powered by the full breadth and depth of Microsoft 365, Viva is experienced through Microsoft Teams and other Microsoft 365 apps that people use every day.

Wednesday, March 3 | 12:00 PM – 12:30 PM PST

Wednesday, March 3 | 9:30 PM – 10:00 PM PST

Ask the Experts

ATE-FS193 | Ask the Experts: Meet Microsoft Viva: a new kind of employee experience
Now that you have the basics covered, we invite you to ask the questions that may not have been answered in sessions already. There will be a team of Subject Matter Experts available to answer questions both on camera and in chat and point you in the right direction to get started on your own Microsoft Viva journey. Come with questions about all four modules – Viva Connections, Viva Topics, Viva Learning, and Viva Insights.

Wednesday, March 3 | 2:00 PM – 2:30 PM PST

On-Demand Sessions

OD369 | Introducing Microsoft Viva Connections by Adam Harmetz
Viva Connections is your gateway to a modern employee experience - are you ready to inform, engage and empower your organization? Join us as we show you how Viva Connections provides a curated, personalized and company-branded experience that centralizes relevant news and conversations. Deploy easily as it's fully integrated in the apps and devices your teams already use every day, like Microsoft Teams. Discover how you can shape culture and foster communication to help your teams thrive.

OD372 | Microsoft Viva Topics: Put knowledge to work with content and AI by Chris McNulty and Naomi Moneypenny
Viva Topics frees up time by making it easy for people to find information and put knowledge to work. And SharePoint Syntex uses advanced AI and machine teaching to amplify human expertise, automate content processing, and transform content into knowledge.

OD370 | Introducing Microsoft Viva Learning by John Mighell and Swati Jhawar
The Viva Learning app in Teams creates a central hub for learning where people can discover, share, recommend, and learn from content libraries across an organization. Join us for details on Viva Learning implementation, configuration, features, and details on public preview availability.

OD368 | Microsoft Viva Insights: Create a culture where people and business thrive by Kamal Janardhan
The success of your business hinges on the success of your people. When people feel balanced, they can bring their best. Discover how you can empower, people, teams, and organizations to improve productivity and wellbeing through data-driven, insights and actionable recommendations with Microsoft Viva Insights. You’ll also learn about the default safeguards you can rely on to protect personal privacy, such as de-identification, aggregation, and differential privacy.

Product Roundtables @ Connection Zone

If you like engaging in conversation with Microsoft product experts and peers, come join us in the Connection Zone and sign up for the Product Roundtables. Here’s one from the Microsoft Viva team:

Improving employee experiences with Microsoft Viva Connections

Join this session to hear more about Microsoft Viva Connections directly from the product team and to share your needs for employee experiences. How do employees stay up to date, communicate with leaders, find resources, and perform simple tasks (checking paystubs, taking time off, completing reimbursements)? We're especially interested in learning more about these scenarios for your mobile-first employees and frontline worker populations.

See you at Ignite on March 2-4, 2021 and follow the #MSIgnite action on Twitter: @MSIgnite, @MSTCommunity, @MSFTMechanics. Be sure to check back here on this blog for the latest product updates and news.

******

“Viva Las Microsoft with Jared Spataro” – The Intrazone Podcast

In case you missed it, tune in to this special #MSFTViva episode of The Intrazone podcast with Jared Spataro.

99.99% uptime for Azure Active Directory B2C

nadimabdo — Wed, 24 Feb 2021 17:00:00 GMT

With digital engagement for customers and citizens surging over the past year, resilience and security for our Azure Active Directory (Azure AD) B2C customers has been top of mind.

I am excited to announce that starting May 25, we will update our public service level agreement (SLA) to promise a 99.99% uptime for Azure AD B2C user authentication, which is an improvement from our previous 99.9% SLA.

This builds on our recent announcement of 99.99% uptime for Azure AD user authentication beginning April 1, 2021. In alignment with our updates to the Azure AD SLA, we are revising the Azure AD B2C SLA to include only user authentication and federation in the definition of Azure AD B2C SLA availability.

Thank you for your ongoing trust and partnership.

Learn more about Microsoft identity:

Return to the Azure Active Directory Identity blog home
Join the conversation on Twitter and LinkedIn
Share product suggestions on the Azure Feedback Forum

A modern approach to cloud NAS in the Azure Marketplace

Christine_Alford — Wed, 24 Feb 2021 16:17:21 GMT

Moving on-premises applications to the cloud brings about critical data issues for information technology teams, such as performance, storage costs, and availability. Additionally, software-as-a-service (SaaS) providers must design applications to ensure data scalability while considering key requirements such as outages, hardware failures, segmentation, and service interruptions.

Partners like Buurst have built network-attached storage (NAS) tools to enhance Microsoft Azure, the global, industry-leading cloud platform. Stephen Spector, Head of Marketing at Buurst, describes how the modern, cloud-native Buurst SoftNAS addressed requirements for one customer:

Companies such as HighRadius, a financial tech enterprise SaaS application provider, requires 99.999 percent uptime for its global customers. Its advanced analytics technology running artificial intelligence (AI) services in Azure must be operational, as data streams are analyzed constantly and any service interruption would prevent the AI from fully processing potential critical data.

High availability was critical for HighRadius. Buurst SoftNAS delivered targeted data management features for availability, high performance, and scalability, with data from Buurst’s SoftNAS SNAP HA replicated across availability zones to provide just-in-case failover protection for HighRadius’ SaaS product.

SoftNAS also provides value-added data availability on Azure, like data deduplication across zones and cross-zone high availability with automatic failover. These services not only provide 99.999 percent uptime, but also are backed by Buurst’s no downtime guarantee.

“We have extensively tested replication across availability zones, failover and failback features of SoftNAS SNAP HA, and found all features worked with no problems," said Suresh Babu Marella, Senior Director of Cloud Infrastructure at HighRadius. "Fortunately, the SoftNAS NAS has run so well that we have never seen a failover while in production, but we are glad we have the peace of mind that high availability is there in case we need it.”

To learn more about SoftNAS on Azure, watch this video demo.

Your Guide to Microsoft Teams @ Microsoft Ignite Spring 2021

Microsoft_Teams_team — Mon, 01 Mar 2021 17:49:21 GMT

Microsoft Spring Ignite is just around the corner and we’d like to share a preview of what you’ll see from Microsoft Teams at this event. This spring we will be focused on external collaboration, meetings, and digital events and webinars. We’ve created sessions that span the breadth of Teams to give you a view into our product capabilities, answer your questions, and provide insights into how your organization can create an even better hybrid workplace with Microsoft Teams.

Featured Sessions
To kick off the event, we will be presenting our Modern Work and Teams featured sessions. Learn from leaders across the Teams business, and get an in-depth view of our product vision, the latest capabilities, and upcoming releases.

The Hybrid Workplace - Jared Spataro, Corporate Vice President, Modern Work
The Latest Innovations with Microsoft Teams - Nicole Herskowitz, General Manager, Microsoft Teams Marketing
Secure and Compliant Collaboration with Microsoft Teams – John Gruszczyk, Product Marketing Manager; and Mansoor Malik, Principal General Product Manager
Easy, Intuitive Webinars with Microsoft Teams: Virtual Engagement in the Age of Remote Work – Lars Johnson, Sr. Director, Microsoft Teams Marketing; and Christina Torok, Sr. Product Marketing Manager

Ask the Expert sessions
If you’re looking to engage with Teams product and engineering experts, join an “Ask the Expert” session following our featured sessions. “Ask the Expert” is a place to get your questions answered and hear directly from subject matter experts. Space is limited so make sure to add these to your calendar ASAP.

Additionally, explore our on-demand sessions offering you a deeper dive into a variety of key topics. See our digital brochure below for the full list where you can take advantage of all of our sessions at any time.

Resources
Below is a list of resources so you can learn more now or bookmark to reference later:

Register for Microsoft Ignite and start building your event schedule with Teams sessions.
Check out all our Teams sessions at: https://aka.ms/TeamsSessions to view videos and join the conversation.
Follow Microsoft Teams on Twitter to stay up to date with the latest Teams @ Ignite news.

Teams Sessions Digital Brochure
Click the session titles to access sessions:

Building better products together with our customers

Jeff Teper — Wed, 24 Feb 2021 16:00:00 GMT

How do teams at Microsoft learn from our customers? How do we know that we’re building products in a way that will meet our customers’ needs?

I’m excited to share with you how our Microsoft 365 engineering teams are working to get better customer insights to build products that delight customers and help them be successful. This journey began about two years ago and has been a great partnership across the leaders in our Microsoft 365 engineering organization that builds productivity experiences and devices for people at home, work, and school. The products we build include Teams, Office, OneDrive, SharePoint, Windows, Surface, Search, Microsoft Graph, and Admin experiences including Analytics, Endpoint management, and more.

What does this look like in practice? We believe it is imperative that we incorporate input and feedback at every stage of product development. We want to make sure that we surface the critical assumptions we have about customers and hold ourselves accountable to check those assumptions with them. All of our engineers, regardless of whether they are an early in career software engineer or a seasoned design leader, are encouraged to make a habit of meeting directly with customers and consulting data and insights along the way.

Customer-driven behaviors in practice

We have been sharing stories of individuals and teams who are positively impacting culture, products, and customers. These stories serve as a source of inspiration for those who have yet to embrace the vital behaviors of customer-driven culture. One story we have told that has resonated with many comes from the Surface Packaging team, in which customer feedback forced them to rethink what ‘premium’ meant to their customers.

Better insights on what customers need, greater empathy for the challenges they might face with our products, and more advanced methodologies for having experimentation-based software development lead to better products for our customer. These elements also contribute to employees feeling more energized and excited by the purpose of what we're doing for our customers – you feel like you're not making the big sales pitch for Microsoft; instead, you're just listening to what a customer needs from us. Being a curious listener to a customer builds awareness, empathy, and excitement and creates energy. We’ve focused not only on driving excitement through grassroots efforts amongst individual contributors and new hires to the organization, but are also empowering our people managers with tools and resources to help them work with their teams to ensure customer voice is at the forefront of how we are building our products.

We’ve made it easy for anyone in our 30,000 person organization to talk to and have a dialogue with a customer. Now that we can’t travel to conferences and have on-campus customer engagements, we’ve been running virtual customer engagements for almost a year, and have learned a lot. We are able to engage with an even more diverse set of customers than we would be able to do in-person, because attendance is remote and friction such as travel is removed. For example, in September 2020, the Microsoft Ignite conference was all-virtual and the audience significantly increased in size; we had more opportunities to listen to small business than we typically get during the conference. Requirements from large enterprises can vary significantly other smaller organizations, and it’s important that we are hearing from everybody, and our teams are challenged to pivot their perspectives with new information that challenges outdated data or biases.

Microsoft 365 engineering teams highly value these opportunities to engage in conversation with our customers, and we hear from our customers that they do too. They say things like: “It's refreshing to feel like we're being heard, and that our inputs matter”, “The two-way forum (yields) great technical input and output. Feels like true collaboration”, “It used to be that only MVPs and large clients had access to this … getting feedback from folks across industries is extremely helpful”.

How can you get involved?

During the upcoming Microsoft Ignite conference March 2-4, join a Product Roundtable meeting to get your voice heard, in small group discussion, with the engineers building the products you use. The Product Roundtables meetings can be accessed through the Microsoft Ignite Connection Zone.
If you can’t make it to the Microsoft Ignite conference, or you want to stay connected on an ongoing basis: join an ongoing customer insider panel to share your experiences and provide input on new designs that engineering are iterating on for future investments.

As we in Microsoft continue on our journey of being customer-driven, we are thankful for all the opportunities we have to learn from our customers so we can do our best work. Everything we do, from the pixels we paint on the screen to the compiler changes we make to get higher quality code out to customers faster do impacts customers and makes a difference.

Azure Service Bus | Receive Messages from DLQ for Queue/Subscription

ankitaja — Wed, 24 Feb 2021 03:21:39 GMT

Azure Service Bus queues and topic subscriptions provide a secondary subqueue, called a dead-letter queue(DLQ). The dead-letter queue need not to be explicitly created and can't be deleted or otherwise managed independent of the main entity.
Azure Service Bus messaging overview - Azure Service Bus | Microsoft Docs

Messages that can't be processed because of various reasons fall into DLQ. Below are few conditions where messages will fall into DLQ:
1. Not matching with the filter condition
2. TTL expired, header exceed
3. Quota exceed for header size
4. Max delivery count reached
5. Session enabled and sending messages without sessionID
6. Using more than 4 forward to

Case:
To receive DLQ messages from queue/subscription

Pre-Requisites:

1. Service Bus namespace
2. Already created queue/subscription
3. Should have messages in DLQ either for queue/subscription
4. Service Bus Explorer

We have multiple ways to receive messages from DLQ.

Using Service Bus Explorer:

Download the “Service Bus Explorer” from: https://github.com/paolosalvatori/ServiceBusExplorer
Open service bus explorer and click File and connect it.

From the drop down, select connection string and provide the connection string of the namespace level.

Once it is successfully connected, you will see Service Bus Explorer shows the count of the DLQ message.
In the below screenshot, there are 11 messages currently in the DLQ for the queue "ankitatest".
To receive messages from DLQ through SB explorer, you need to click on that particular queue and then click on “Deadletter” tab then one dialogue box will pop up then you need to click on “Receive and Delete”. The default value is Top10 so top10 messages will be received from DLQ.

The updated DLQ message count is now 1.

Through C# Code:

In the given screenshot, we have 12 messages in DLQ for queue and we wanted to receive them.

I will run the below code which will receive the message from the mentioned queue. Once you run the code successfully, you will see the message ID in the console window as below.

Now, check on SB explorer and you will see 1 message has been gone from DLQ.

class Program { static void Main(string[] args) { RetrieveMessageFromDeadLetterForQueue(); RetrieveMessageFromDeadLetterForSubscription(); } public static void RetrieveMessageFromDeadLetterForQueue() { var receiverFactory = MessagingFactory.Create( "sb://<ServiceBusNamespaceName>.servicebus.windows.net/", new MessagingFactorySettings { TokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider("RootManageSharedAccessKey", "<NamespaceLevelKey>"), NetMessagingTransportSettings = { BatchFlushInterval = new TimeSpan(0, 0, 0) } }); string data = QueueClient.FormatDeadLetterPath("<QueueName>"); var receiver = receiverFactory.CreateMessageReceiver(data); receiver.OnMessageAsync( async message => { var body = message.GetBody<Stream>(); lock (Console.Out) { Console.WriteLine(message.MessageId); } await message.CompleteAsync(); }, new OnMessageOptions { AutoComplete = false, MaxConcurrentCalls = 1 }); } public static void RetrieveMessageFromDeadLetterForSubscription() { var receiverFactory = MessagingFactory.Create( "sb://<NS>.servicebus.windows.net/", new MessagingFactorySettings { TokenProvider = TokenProvider.CreateSharedAccessSignatureTokenProvider("RootManageSharedAccessKey", "<NamespaceLevelSASKey>"), NetMessagingTransportSettings = { BatchFlushInterval = new TimeSpan(0, 0, 0) } }); string data = SubscriptionClient.FormatDeadLetterPath("<TopicName>", "<SubscriptionName>"); var receiver = receiverFactory.CreateMessageReceiver(data); receiver.OnMessageAsync( async message => { var body = message.GetBody<Stream>(); lock (Console.Out) { Console.WriteLine("Message ID :" + message.MessageId); } await message.CompleteAsync(); }, new OnMessageOptions { AutoComplete = false, MaxConcurrentCalls = 1 }); } }

Experiencing Data Latency Issue in Azure portal for Log Analytics - 02/24 - Resolved

Azure-Monitor-Team — Wed, 24 Feb 2021 01:02:00 GMT

Final Update: Wednesday, 24 February 2021 00:59 UTC

We've confirmed that all systems are back to normal with no customer impact as of 2/24, 00:20 UTC. Our logs show the incident started on 2/23, 19:45 UTC and that during the ~4 hours 25 min that it took to resolve the issue customers in East US2 experienced intermittent data latency and incorrect alert activation.

Root Cause: The failure was due to one of the backend services becoming unhealthy.
Incident Timeline: 4 Hours & 25 minutes - 2/23, 19:45 UTC through 2/24, 00:20 UTC

We understand that customers rely on Azure Log Analytics as a critical service and apologize for any impact this incident caused.

-Anupama

How to use REST API to send notifications to Baidu device?

yawhu — Wed, 24 Feb 2021 00:33:09 GMT

This article will introduce how to use Azure Notification Hub REST API to send a notification to device with Baidu Push. It provides an example of how to retrieve the PNS handle and send notification to device using REST API with Baidu Push.

Pre-requirement :

Before starting, you must setup a Baidu Push environment and create a application in Android Studio.

Download Baidu Push Android SDK
Create a Baidu Push account and create application : Getting Started with Baidu Push (baidu.com)
Create an application in Android Studio : Connect your app to the notification hub | Microsoft Docs

Getting started with Azure Notification Hub using Baidu

Enter API Key and SECRET KEY in Azure Portal -> Notification Hub -> Baidu (Android China).

Note : Go to the Configuration page of the Baidu Push application and you can find API KEY and SECRET KEY.
Execute your application in Android Studio and you should see below keywords in.
errorCode=0 : 0 means the device is registered successfully via Baidu SDK.
userId : copy this for next step
channelId: copy this for next step

Create a registration for the device. This method generates a registration ID, which you can subsequently use to retrieve, update, and delete this registration.
- Request

Method	Request URI
POST	https://<notification_hub_namespace>.servicebus.windows.net/<notification_hub_name>/registrations/?api-version=2015-01

- Request Headers

Request Header	Description
Content-Type	application/atom+xml;type=entry;charset=utf-8
Authorization	Azure Service Bus access control with Shared Access Signatures - Azure Service Bus \| Microsoft Docs
x-ms-version	2015-01

- Request Body
XML

<?xml version="1.0" encoding="utf-8"?> <entry xmlns=http://www.w3.org/2005/Atom> <content type="application/xml"> <BaiduRegistrationDescription xmlns:i=http://www.w3.org/2001/XMLSchema-instance xmlns=http://schemas.microsoft.com/netservices/2010/10/servicebus/connect> <BaiduUserId>{userId}</BaiduUserId> <BaiduChannelId>{channelId}</BaiduChannelId> </BaiduRegistrationDescription > </content> </entry>

- Response Code

Code	Description
200	Registration created successfully.

- Response Body
Upon success, a validated Atom entry is returned. It includes read-only elements such as ETag, RegistrationId, and ExpirationTime. For example:
XML

<entry a:etag="W/"1"" xmlns=http://www.w3.org/2005/Atom xmlns:a=http://schemas.microsoft.com/ado/2007/08/dataservices/metadata> <id>https://notificationhubn.servicebus.windows.net/notificationhub1/registrations/{registerId}?api-version=2015-01</id> <title type="text">{registerId}</title> <published>2021-02-19T06:52:22Z</published> <updated>2021-02-19T06:52:22Z</updated> <link rel="self" href=https://notificationhubn.servicebus.windows.net/notificationhub1/registrations/{registerId}?api-version=2015-01/> <content type="application/xml"> <BaiduRegistrationDescription xmlns=http://schemas.microsoft.com/netservices/2010/10/servicebus/connect xmlns:i=http://www.w3.org/2001/XMLSchema-instance> <ETag>1</ETag> <ExpirationTime>9999-12-31T23:59:59.999</ExpirationTime> <RegistrationId>{registerId}</RegistrationId> <BaiduUserId>{userId}</BaiduUserId> <BaiduChannelId>{channelId}</BaiduChannelId> </BaiduRegistrationDescription> </content> </entry>

Use Test Send to check whether the device is registered successfully in the previous step.

Sends a Baidu native notification through a notification hub.
- Request

Method	Request URI
POST	https://<notification_hub_namespace>.servicebus.windows.net/<notification_hub_name>/messages/?api-version=2015-04

- Request Headers

Request Header	Description
Content-Type	application/json;charset=utf-8
Authorization	Azure Service Bus access control with Shared Access Signatures - Azure Service Bus \| Microsoft Docs
ServiceBusNotification-DeviceHandle	{RegistrationId}
ServiceBusNotification-Format	baidu
x-ms-version	2015-04

- Request Body
JSON

{"title":"Title","description":"Notification Hub test notification"}

- Response Code

Code	Description
201	Message successfully send to Baidu.

Your device should receive the notification you send in previous step in few seconds.

Additional Reference :

Introducing SSD Commercial Spares for Surface Pro 7+

TomerK — Wed, 24 Feb 2021 22:08:09 GMT

When we set out to design Surface Pro 7+, we wanted to make it easy for enterprise customers to retain data and repair units We listened to customer feedback about the critical importance of retaining confidential data and reducing the downtime incurred by a servicing issue. That’s why we’re pleased to announce that beginning today, commercial customers in the U.S. will be able to purchase Microsoft Surface Removal SSDs (rSSDs), enabling their IT technicians to service devices onsite.

Removal SSD commercial spares are primarily designed to address data retention. Enterprise IT departments are often required to retain data for liability reasons. When a company owned PC asset is transitioned between employees or when a company owned PC is sent in for repair or retired, sensitive data can be archived or destroyed. Companies retain full control over their data.

SSD kits consist of a single certified refurbished SSD —plus SSD screw. All volume sizes are available: 128GB, 256GB ,512GB or 1TB. At this time, the kits cover Surface Pro 7+ only and will not work for Surface Pro X or Surface Laptop Go. After the initial US rollout, we plan to gradually roll out the kits to all Surface regions.

To order, reach out to your regional reseller or Surface specialist (initially in the U.S. only) to order via regular commercial channels. We hope this makes it easier for commercial customers to retain their data on Surface Pro 7+ devices.

Finally, here are answers to some common questions customers may have:

Does the installation have to be done by an Authorized Service Provider (ASP)?

Removable SSDs (rSSDs) do not require a license or authorization. Microsoft recommends these repairs be performed by a skilled IT professional.

Does installation require a trained technician?

We recommend only a skilled IT technician perform the SSD replacement and while following Microsoft instructions in the Surface Pro 7+ removable SSD guide available on the Microsoft Download Center.

Can I upgrade Surface Pro 7+ devices by installing larger SSDs, or do I have to replace with the same size SSD that is removed?

Microsoft does not advise users to install an SSD that has not been tested for your device configuration. Microsoft takes measures to ensure product quality as well as testing hardware configurations offered for sale. Installing a third-party SSD or a different Microsoft SSD (of another volume size) may result in reduced performance and unsupported configurations.

What comes in the box when I purchase a commercial spare? Are there installation instructions?

The rSSD Commercial Spare Package includes only the replacement SSD and basic instructions. For complete instructions, refer to the Surface Pro 7+ removable SSD guide available on the Microsoft Download Center. It is recommended to store the rSSDs in their original packaging until they are used to prevent potential damage due to stacking.

Is there a software tool to erase the content of my old SSD?

You can use Surface Data Eraser or reimage the device to securely wipe all data stored on the SSD. The SSD must be installed during the process. Surface SSDs are encrypted by default.

Does the commercial spare SSD need to be imaged?

Yes. After a new SSD has been introduced in a host PC, users must use BitLocker recovery to restore the device. Alternatively, the device can be reimaged.

Can consumers place orders too?

Commercial Spares are not available for purchase in the regular consumer channels and are intended for use by enterprise customers only.

Business Email: Uncompromised – Part One

Giulian Garruba — Thu, 25 Feb 2021 23:32:22 GMT

This blog is part one of a three-part series focused on business email compromise.

Business email compromise (BEC) is a type of phishing attack that targets organizations, with the goal of stealing money or critical information. BEC has become a top-of-mind concern for CISOs – according to the Federal Bureau of Investigation, in 2019, BEC was the costliest type of cybercrime, accounting for 50% of all losses worldwide. Since 2016, BEC has accounted for more than 26 billion dollars in losses. Large corporations to small businesses, all have fallen victim to these attacks.

At Microsoft we have been actively working to block these attacks and working to disrupt attacker networks that look to propagate such crime. Microsoft Defender for Office 365 provides industry leading capabilities to protect against these sorts of attacks.

So how do these attacks work? How can organizations best protect themselves? In this blog series, we will explore the evolution of BEC attack tactics, provide a refresher on existing and new capabilities in Defender for Office 365 that help detect these attacks, and best practices that customers should follow to secure themselves against BEC attacks.

Anatomy of Business Email Compromise Attacks

The classic form of business email compromise involves targeting a set of employees through emails that seem to come from an email address that visually looks like someone the employee should trust. Once the trust is established, unsuspecting employees can be asked to execute fraudulent wire transfers or asked to reply with critical information. Unlike other email-based threats, these attacks do not rely on malicious files or links and instead rely on deception of trust and can be highly effective.

Here’s an example of a BEC attack we have observed recently.

Figure 1: A real-world BEC attack

At first glance, the email appears to come from the CEO to her employee and looks like a legitimate business email request for a payment. But upon further examination we detect that the sender is not the real CEO. The attackers use different techniques to make the email address look convincing.

Display name or From address look-alike (user impersonation)

Email clients use email properties like “Display Name” and “From Address” to show the sender of the email. Attackers forge these properties to make it visually look like a real sender. When we take a closer look at the below example, we see the mail came from a look-alike email address with a slightly different spelling.

Figure 2: User impersonation using a look-alike email address

Attackers often use spelling tricks or special characters to make the email name look convincing, and detecting these large number of possible combinations through naked eye or basic regular expressions (regex) can be quite challenging.

Domain address look-alike (domain impersonation)

In this technique, the attacker forges the email domain that visually looks like the domain of the victim’s organization or like the domain of one of their business partners. For example, in the below example, the email seems to come from a domain that looks like contoso.com but is spelled with a “zero” instead of an “o”.

Figure 3: Domain impersonation using a look-alike domain

Exact Domain Spoofing

In this technique, the attacker forges the domain to look exactly like the domain of the victim’s organization or like the domain of one of their business partners. Since they are exactly same, they make for a more convincing attack. Email protocols rely on email authentication standards such as SPF, DKIM, and DMARC to enable domain owners to “authenticate” their mails. If the domain does not configure these settings, they can be spoofed by the attacker to make an email look legitimate but will instead come from the attacker’s email server. In the example below, when we inspect the mail, the domain that the victim sees is contoso.com, but the actual sender is different.

Figure 4: Domain spoofing achieved through forgery

We refer to these classic attacks as single stage attacks. We see attackers leverage one or more of the above techniques to impersonate/spoof executives, business partners, IT/HR staff and more. The email content can contain a basic request to purchase gift cards, request HR or financial data, or request to process an invoice with updated payment details.

Figure 5: Single stage BEC attacks

Now that we have reviewed the attack techniques, let’s take a closer look at how we can protect against them.

User & Domain Impersonation Protection in Defender for Office 365

Detecting user and domain impersonation at scale and in a fast-evolving attack landscape requires systems that can quickly understand relationships between senders and recipients, detect anomalies in those relationships and detect “visual similarity” across many possible combinations.

Configuring AI-powered and policy-based protections

Microsoft Defender for Office 365 does this by employing a capability called Mailbox Intelligence, an AI-powered technology that builds a communication graph of every user. Once enabled, this system continuously learns about a user’s email patterns and their communication graph. When a BEC email is received, the system automatically detects an anomaly against the user’s graph. It then runs a powerful multi-pass algorithm to detect “visual similarity” across a large combination of user and domain names.

Security administrators can configure user, domain, and mailbox intelligence-based protection settings in the Anti-Phishing Policy within the Security Center. Once configured, these capabilities protect all users in the organization from attacks looking to impersonate any of their communication contacts. In an environment where anyone in an organization can be targeted by impersonation attacks, organizations need this capability to protect all users in the organization.

Figure 6: Mailbox Intelligence uses AI to build a communication graph for every user

We introduced these capabilities in Defender for Office 365 in 2018 and we are constantly updating them based on the latest threat patterns.

Hunting for BEC Attacks (Coming Soon!)

Given the targeted nature of BEC attacks, security analysts are looking for additional ways to analyze and hunt for information about these attacks in their environment.

To further increase the efficiency of the response of SecOps teams to impersonation-based attacks, we are rolling out new pivots in Threat Explorer to enable your security analysts to hunt for user and domain impersonation attempts in your organization. Threat Explorer helps security teams investigate and respond to threats efficiently, and these new capabilities allow analysts to dive deeper into potential BEC attacks. The new pivots will help security analysts answer questions like “Who is impersonating my CEO?”, “who is being targeted?”, “is a protected domain of my organization being impersonated?” and “are we seeing any false positives?” Admins can also configure alerts to be notified and Threat Tracker queries to quickly discover new attacks.

Figure 7: Use Threat Explorer to hunt for impersonated users

Domain Spoofing Protection & Email Authentication Checks in Defender for Office 365

Preventing spoofing with email authentication standards

To identify spoofing attempts, email standards like SPF, DKIM, and DMARC are evaluated on every incoming message. Office 365 honors these standards for domains that have properly configured these settings. Emails that fail DMARC checks will be sent to quarantine or routed to junk mail. You can learn more about email authentication in Office 365, and its implications on spoofing here.

Spoof Intelligence to prevent spoofing attacks

While DMARC is a useful tool in the email ecosystem, despite its value, our service-wide telemetry indicates that a large number of the domains that send email into your organization have not implemented DMARC or may not enforce it. This leaves your organization vulnerable as these domains can still be spoofed leaving the door open to business email compromise. This is important – If your partners and vendors have not enforced DMARC on their domains, their domains can be spoofed by attackers in deceptive emails to your users.

To address this challenge, Defender for Office 365 and Exchange Online Protection (EOP) use an industry-first technology called Spoof Intelligence. It uses advanced algorithms to learn about a domain’s email sending patterns and can flag anomalies. And most importantly, through this approach using Spoof Intelligence, Defender for Office 365 and EOP also extend spoofing protections to domains that might not have implemented DMARC yet.

Both spoof protection capabilities are enabled by default and are being constantly updated to learn from latest attacks.

Coming up in Part 2….

BEC attacks can be fairly complex and look extremely convincing. And they can result in a lot of damage to organizations that don’t have the appropriate protection. In this blog, we’ve looked at one flavor of BEC attacks – single stage attacks. We have also seen how capabilities in Defender for Office 365, described above, prevent the core components of business email compromise. In the next blog post, we’ll dive into more advanced flavors of BEC attacks, and talk about the different capabilities in Microsoft Defender for Office 365 that help you prevent, detect, and respond to multi-stage BEC attacks. Stay tuned!

To learn more about Microsoft Defender for Office 365, or to get started today, visit aka.ms/DefenderO365.

Augmenting Azure Advisor Cost Recommendations for Automated Continuous Optimization – Part 2

hspinto — Tue, 23 Feb 2021 22:36:47 GMT

This is the second post of a series dedicated to the implementation of automated Continuous Optimization with Azure Advisor Cost recommendations. For a contextualization of the solution described in this and following posts, please read the introductory post.

Introduction

As we saw in the previous post, if we want to better inform decisions on top of Azure Advisor right-size recommendations, we need to combine these with additional data coming from other sources:

First, we need Virtual Machines performance metrics to give visibility about why Advisor is recommending a downsize or shutdown. We need at least the last 7 days of aggregated metrics. There are many ways of collecting performance metrics for VMs in Azure – Azure Monitor platform metrics, Azure Log Analytics or Azure Diagnostics guest agent, or even a third-party monitoring solution. As we want to combine all data together into a single repository, using the Azure Log Analytics agent is the simplest approach, as performance metrics will automatically land where they will later be queried from. Of course, if you do not (or don’t want to) monitor your VMs with the Log Analytics agent, you can still ingest into Log Analytics the performance metrics aggregates coming from your favorite source. This series will only cover the Log Analytics agent scenario, though.
To validate whether a SKU recommended by Advisor can actually be used for a specific VM, we must check how many data disks and network interfaces are being used, as all SKUs have limits regarding these resources. The quickest and simplest way to get that information is to query Azure Resource Graph (ARG) for all our VMs.
Finally, if we want to validate if the current disk IOPS and throughput profile are supported in the recommended SKU, we must collect data about all VM disks, namely disk type (OS vs. data) and host caching options. Again, we will call ARG to the rescue! And having disks data, we can easily get an extra recommendation not yet supported by Advisor – guess what (more details in the next post :smiling_face_with_smiling_eyes:)!

Now let’s look at each of these data sources in detail and start building our Azure Optimization Engine pipeline.

Collecting Virtual Machine performance metrics

I am not going into the details of configuring the Log Analytics agent in your Azure Virtual Machines, as you have very good guidance in the official documentation. For collecting performance metrics with the Log Analytics agent, you have two options: the VM Insights solution and the agent native Perf solution. This series covers the latter option, as it provides more control over the metrics and collection intervals and we also want to optimize Azure consumption in the optimization tool itself ;) So, besides having all your VMs onboarded to Log Analytics, go to the Advanced Settings > Data blade and configure at least the following counters (if you already had your VMs being monitored by Log Analytics, then you just need to check if all needed counters are there):

Windows
- LogicalDisk(*)\Disk Read Bytes/sec
- LogicalDisk(*)\Disk Reads/sec
- LogicalDisk(*)\Disk Write Bytes/sec
- LogicalDisk(*)\Disk Writes/sec
- Memory(*)\Available MBytes
- Network Adapter(*)\Bytes Total/sec
- Processor(*)\% Processor Time
Linux
- Logical Disk(*)\Disk Read Bytes/sec
- Logical Disk(*)\Disk Reads/sec
- Logical Disk(*)\Disk Write Bytes/sec
- Logical Disk(*)\Disk Writes/sec
- Memory(*)\% Used Memory
- Network(*)\Total Bytes
- Processor(*)\% Processor Time

Disk counters need to be separated in both read and write dimensions, because of the impact of read/write host caching definitions - when looking at disk performance, we must consider cached vs. non-cached virtual machine disk throughput/IOPS limits. For the same reason, we need to collect metrics for all disk instances, because host caching is defined per disk. Network throughput is collected as totals, because network bandwidth limits are independent of network adapter or direction. Processor metrics are collected for all CPU instances, because overall percentages can be misleading (e.g., 50% total CPU usage may be a result of 100% usage in 1 core and 0% in another). Each performance counter instance collected at a 60 second interval consumes about 430 KB per computer per day in Log Analytics. In a scenario with 4 logical disks and 4 CPU cores, each computer would generate 27 performance counter instances (20 for logical disk, 1 for memory, 1 for network adapter and 5 for processor). If all performance counters were collected at the same 60 seconds frequency, each computer would generate ~11 MB of data per day. Of course, you can adjust the collection interval for some counters, if you want your solution to be costs-savvy (see example below).

Windows performance counters collection configuration in Log Analytics

Collecting Virtual Machine and Managed Disks properties

Collecting VM and disks properties with ARG is super easy. The VM queries are straightforward and self-explanatory:

resources

| where type =~ 'Microsoft.Compute/virtualMachines'

| extend dataDiskCount = array_length(properties.storageProfile.dataDisks), nicCount = array_length(properties.networkProfile.networkInterfaces)

| order by id asc

… for ARM VMs and …

resources

| where type =~ 'Microsoft.ClassicCompute/virtualMachines'

| extend dataDiskCount = iif(isnotnull(properties.storageProfile.dataDisks), array_length(properties.storageProfile.dataDisks), 0), nicCount = iif(isnotnull(properties.networkProfile.virtualNetwork.networkInterfaces), array_length(properties.networkProfile.virtualNetwork.networkInterfaces) + 1, 1)

| order by id asc

… for Classic VMs.

For Managed Disks, the query is more complicated, because we want to distinguish between OS and Data disks:

resources

| where type =~ 'Microsoft.Compute/disks'

| extend DiskId = tolower(id), OwnerVmId = tolower(managedBy)

| join kind=leftouter (

resources

| where type =~ 'Microsoft.Compute/virtualMachines' and array_length(properties.storageProfile.dataDisks) > 0

| extend OwnerVmId = tolower(id)

| mv-expand DataDisks = properties.storageProfile.dataDisks

| extend DiskId = tolower(DataDisks.managedDisk.id), diskCaching = tostring(DataDisks.caching), diskType = 'Data'

| project DiskId, OwnerVmId, diskCaching, diskType

| union (

resources

| where type =~ 'Microsoft.Compute/virtualMachines'

| extend OwnerVmId = tolower(id)

| extend DiskId = tolower(properties.storageProfile.osDisk.managedDisk.id), diskCaching = tostring(properties.storageProfile.osDisk.caching), diskType = 'OS'

| project DiskId, OwnerVmId, diskCaching, diskType

)

) on OwnerVmId, DiskId

| project-away OwnerVmId, DiskId, OwnerVmId1, DiskId1

| order by id asc

No support for Classic VM disks, though, as they are unmanaged resources lying as a page blob in some Azure Storage container. Contributors are welcome!

For larger environments, we’ll need to implement pagination as ARG only returns the first 1000 rows for each query (the ARG runbooks scripts below will show you how).

Deploying the Azure Optimization Engine (data collection)

Now that we have some ground about the data we need to collect, we can finally start deploying the Azure Optimization Engine (AOE) solution! We are just looking at data collection for the moment – no augmented recommendations yet – but we will deploy here all the necessary foundations for the complete solution to be presented in the upcoming posts. In the links below, you’ll be directed to the AOE repository, where you’ll find sooner or later the complete working solution.

The AOE solution is made of the following building blocks:

ARM template deploying Azure Automation account, runbooks and all required automation assets, Storage Account, SQL Database and, if needed, Log Analytics workspace. You can choose to reuse an existing Log Analytics workspace in case you were already monitoring your VMs before.
Export-AdvisorRecommendationsToBlobStorage runbook – collects from Advisor API the most recent recommendations and dumps them as CSV into a blob container.
Export-ARGVirtualMachinesPropertiesToBlobStorage runbook – collects from ARG the whole list of VMs and respective properties and dumps them as CSV into a different blob container.
Export-ARGManagedDisksPropertiesToBlobStorage runbook – collects from ARG the whole list of Managed Disks and respective properties and dumps them as CSV into a different blob container.
Ingest-OptimizationCSVExportsToLogAnalytics runbook – scans a blob container and ingests all the unprocessed CSV blobs into a custom Log Analytics table (content type specific). To keep track of the CSV and number of CSV lines already processed, this runbook depends on a SQL Database, where it also gets details about the custom Log Analytics table corresponding to each CSV type.
Deploy-AzureAutomationEngine.ps1 – full deployment script which kicks off the ARM template deployment and sets up the SQL Database at the end.

So, to deploy the AOE, you just need to run the Deploy-AzureAutomationEngine script in an elevated prompt and authenticating to Azure with a user account having Owner permissions over the chosen subscription and enough privileges to register Azure AD applications (see details). You’ll be asked several details about your deployment options, including whether you want to reuse an existing Log Analytics workspace or start with a new one.

The deployment will take some minutes to complete and you’ll then be asked to enter a password for the Run As certificate for the Automation account. A couple of minutes more and the script will hopefully terminate successfully. In the event of an error, you can re-deploy with the same parameters, as the process is idempotent. You can check the Automation Account schedules created by the deployment (see picture below), which will trigger in a matter of a 1-2-hour timeframe.

Data collection and ingestion schedules in Azure Automation

Some minutes after all the ingestion runbooks run, you’ll be able to query in Log Analytics for those tables. We’ll make use of these records to generate our recommendations.

Azure Optimization Engine custom log tables available in Log Analytics

Once successfully deployed, and assuming you have your VMs onboarded to Log Analytics and collecting all the required performance counters, we have everything that is needed to start augmenting Advisor recommendations and even generate custom ones! Let it boil for some weeks and keep tuned – in the next post, we’re discussing how AOE produces the actual recommendations and we’ll going to finally see some light!

Experiencing Data Access Issue in Azure portal for Service Map - 02/23 - Resolved

Azure-Monitor-Team — Thu, 25 Feb 2021 20:05:51 GMT

Final Update: Thursday, 25 February 2021 19:55 UTC

We've confirmed that all systems are back to normal with no customer impact as of 2/25, 18:40 UTC. Our logs show the incident started on 2/15 and that during the duration of ~10 days that it took to resolve the issue some customers experienced issues seeing performance data in Azure monitor when Azure mode is selected and 5xx errors while viewing performance data on browser.

Root Cause: The failure was due to one of the back end services turning unhealthy after a deployment.
Incident Timeline: 2/15 through 2/25, 18:40 UTC

We understand that customers rely on Azure monitor for VM's as a critical service and apologize for any impact this incident caused.

-Anupama

Update: Thursday, 25 February 2021 04:22 UTC

Root cause has been isolated to service turning unhealthy after incorrect deployment which was impacting performance data view in Azure monitor when Azure mode is selected. To address this issue engineers are rolling back the service to previous healthy state. Some customers who have VM's sending data to workspaces, continue to experience issues seeing performance data in Azure monitor when Azure mode is selected and 5xx errors while viewing performance data on browser.

Work Around: None
Next Update: Before 02/26 04:30 UTC

-Anupama

Update: Thursday, 25 February 2021 01:28 UTC

Root cause has been isolated to service turning unhealthy after incorrect deployment which was impacting performance data view in Azure monitor when Azure mode is selected. To address this issue engineers are rolling back the service to previous healthy state. Some customers who have VM's sending data to workspaces, continue to experience issues seeing performance data in Azure monitor when Azure mode is selected and 5xx errors while viewing performance data on browser.

Work Around: None
Next Update: Before 02/25 05:30 UTC

-Anupama

Update: Thursday, 25 February 2021 00:01 UTC

Root cause has been isolated to service turning unhealthy after incorrect deployment which was impacting performance data view in Azure monitor when Azure mode is selected. To address this issue we are rolling out a fix to the service. Some customers who have VM's sending data to workspaces, continue to experience issues seeing performance data in Azure monitor when Azure mode is selected and 5xx errors while viewing performance data on browser.

Work Around: None
Next Update: Before 02/25 02:30 UTC

-Anupama

Update: Wednesday, 24 February 2021 22:01 UTC

We continue to investigate issues within Azure monitor for VM's. Preliminary investigation showed that the root cause was due to one of the back end component becoming inaccessible after a scheduled drill/test in EastUS2EUAP region. Further investigation shows that the root cause is due to regression that happened after a deployment on one of the back end services. Some customers who have VM's sending data to workspaces, continue to experience issues seeing performance data in Azure monitor when Azure mode is selected. Customers might also see 5xx errors while viewing the performance data on the portal.

Work Around: None
Next Update: Before 02/25 00:30 UTC

-Anupama

Update: Wednesday, 24 February 2021 12:02 UTC

We continue to investigate issues within Service Map. Root cause is due to one of the backend component becoming inaccessible after a scheduled drill/test in EastUS2EUAP region. Some customers who have VM's sending data to EastUS2EUAP workspaces, continue to experience issues seeing performance data in Azure monitor when Azure mode is selected.

Work Around: None
Next Update: Before 02/25 00:30 UTC

-Harshita

Update: Wednesday, 24 February 2021 01:32 UTC

We continue to investigate issues within Service Map. Root cause is due to one of the backend component becoming inaccessible after a scheduled drill/test in EastUS2EUAP region. Some customers who have VM's sending data to EastUS2EUAP workspaces, continue to experience issues seeing performance data in Azure monitor when Azure mode is selected.

Work Around: None
Next Update: Before 02/24 14:00 UTC

-Anupama

Update: Tuesday, 23 February 2021 21:22 UTC

We continue to investigate issues within Service map. Root cause is due to one of the backend component becoming inaccessible after a scheduled drill/test in EastUS2EUAP region. Some customers who have VM's sending data to EastUS2EUAP workspaces, continue to experience issues seeing performance data in Azure monitor when Azure mode is selected. The issue started at 16:00 UTC

Work Around: None
Next Update: Before 02/23 23:30 UTC

-Anupama

Balancing data protection and productivity in the digital era (VOICES OF DATA PROTECTION--Episode 1)

aletheap — Tue, 23 Feb 2021 19:18:57 GMT

Host: Bhavanesh Rengarajan – Principal Program Manager, Microsoft

Guest: Rudra Mitra – VP of Compliance Solutions, Microsoft

The following conversation is adapted from transcripts of Episode 1 of the Voices of Data Protection podcast. There may be slight edits in order to make this conversation easier for readers to follow along.

This podcast features the leaders, program managers from Microsoft and experts from the industry to share details about the latest solutions and processes to help you manage your data, keep it safe and stay compliant. If you prefer to listen to the audio of this podcast instead, please visit: aka.ms/voicesofdataprotection

BHAVANESH: Welcome to Voices of Data Protection! I’m your host Bhavanesh Rengarajan, and I’m a Principal Program Manager at Microsoft. In this first episode, I talk with Rudy (Rudra) Mitra, Vice President of Compliance Solutions at Microsoft 365. Rudy has been with Microsoft for more than 20 years, helping organizations keep data safe and minimize risks.

Rudy and I will discuss how the pandemic and remote work have accelerated the need for compliance, how organizations are navigating this new landscape, and how Microsoft is developing a strong solutions roadmap to help organizations and people succeed in these unprecedented times!

Thank you, Rudy, for taking time to speak with us today, please give us a quick introduction of your role at M365 Compliance and your charter.

RUDRA: Hey Bhavy, how's it going? I'm Rudy Mitra, the Vice President of Compliance Solutions at Microsoft 365. And looking forward to having this chat.

BHAVANESH: Would you quickly cover your areas of operation and talk about your team as well?

RUDRA: At Microsoft 365 with our compliance solutions, we think about areas such as data governance, data protection, insider risk management, which we can probably go into a little bit more, discovering content and auditing the access to content. And then of course, compliance management to round it out, all geared towards keeping enterprise data safe, secure, and helping organizations work on risk, reducing risks.

BHAVANESH: So, let me ask you this question, how has compliance as a scene evolved since the pandemic and switching to working from home. And how are you thinking or reassessing the roadmap in these unprecedented tough times?

RUDRA: Of course, as you know, we all find ourselves in these unprecedented times. And organizations are looking to react as the workforce goes remote. And so, you know, a couple of things are coming forward as we sort of listen to customers, as we talked to them with remote work, it's all about sort of where the organization's data is now located, where it's flowing as we work from home. There's lots of questions in organization's mind about how to keep their data secure, but also ensure employees can stay as productive as possible, not put-up walls to their productivity. So that's sort of one key theme that we continue to hear and react to. Also, things like making sure the risk from communications, which are now happening more in the digital medium, you know, like us talking to each other versus the cooler talk or in other places, there's a lot more of that going on, meaning that there could potentially be risks with that data, what's talked about, what's in email, what's in chats. So covering those bases for compliance, making sure, you know, if there's anything that needs to be discovered or flagged or protected, that's another key theme through all of this. So, remote work, we've all been transitioning to it, but at the same time, maintaining that sense of compliance, meaning maintaining that sense of security of data protection of that data, key themes for organizations that are pretty much globally is what we hear.

BHAVANESH: Would it be fair to say that the need for compliance has grown over the last few months compared to where we were about a year ago?

RUDRA: Oh, for sure. This whole situation has accelerated the move to some digital medium. I think Satya says this really well from Microsoft, which is, he's sort of puts it as the transition to digital and acceleration to the cloud move for organizations has really accelerated because that is the way to stay productive. That is the way to operate in this, in this situation. And with that, the need for compliance, as you just pointed out, has tremendously accelerated. And we see this not only in the customer conversations, but we also see this in the adoption and usage of our solutions.

BHAVANESH: Since I heard you say that you're looking into information protection, governance, and insider risk management as some of the key pillars, what are some of the core concerns or struggles that you hear from our customers and what they feel they do not have a solution around today?

RUDRA: The intellect property of an organization, intuitively, is the thing they are trying to protect most. That’s the place where compliance really is important to make sure that their intellectual property is safe. They know where it is as workers for the enterprise access and data from home, what devices it on. It could be a managed, it could be unmanaged. So, the information protection need for these core assets is the key requirement we hear. When you think about areas like data loss prevention, very geared towards making sure that what is important for the company, stays within the enterprise is control, they know where it's going, particularly in this distributed environment. And then of course, you know, where, where company secrets are involved, where company intellectual property is involved, being able to classify that content, being able to say what's the important information from what the non-important information is so important now, to be able to make sure you can protect that 5% of data, 2% of data, 10% of data from everything else. That's more data in the organization. And just to put this in perspective, by some, some measures it's estimated that we are now doubling the digital data for an organization large or small every couple of years with continued acceleration on it, which means the volume of data that you're trying to figure out your intellectual property out of protected, whether that's patient records, whether that's taskforce forms, whether that's blueprints, for manufacturing, financial records, very important things to talk about the scale aspects of it and being able to protect what's important from maybe all the other digital data that's floating around.

BHAVANESH: That's really exciting, Rudy. So how does your roadmap address all these concerns for your customers?

RUDRA: A great question. What we feel at Microsoft is that this explosion of data combined with the trend of remote work just brings to forefront the need for automated solutions, solutions, leverage the best of machine learning. And yeah, yeah, I do assist with the production of data would be identification when there are insider risks. And what we really leaned in on is solutions that are ML and AI powered so that these can scale. It's very different when you're trying to do this at small scale versus really the scale at which businesses operate today, large, or small. We talked a little bit about the, the volume of data and in that context, automation is super important, so, that's sort of number one. Number two for our solutions is being part of the productivity experience or users and users. You know, it's very easy to sort of say, I'm going to protect data that no one ever accesses, right. I can lock it up in a vault and protect it, but what's the fun in that then there's no productivity, but it's 100% secure. And so, this balance of experiences that are geared towards productivity and security and protection and compliance is important. And so when you think about the work that we've done in the Office applications, in SharePoint, in Teams where the person working on it is in the flow of their work, they never leave their flow, but their knowledge, if they're dealing with sensitive information, they know that they have to deal with it carefully combined with things like IT manageability, where they don't have to deploy additional add ins it's part of the product experiences and apps.

This is sort of number two on our sort of areas of focus, which is balancing productivity and protection. And then number three is sort of our partners and the work that we do with our ecosystem to make sure that this is not just production for Microsoft data, but for all data. Because an enterprise is messy, it has data in different places. And so really our production solutions are important as well.

BHAVANESH: And Rudy, I think I'm going to throw you a curveball. It will be good to get your perspective as well as a customer. Let's say that if they are using a very manually operated system today, like you have manual labeling on sensitivity and retention, what kind of sedation would you give them so that they can basically increase their productivity by moving towards your automated solution, like auto labeling, using sensitive information, machine learning, AI? What would be your top three steps that you would suggest to them to move from here to there?

RUDRA: The idea of starting small with data loss prevention, you know, maybe starting with your data classification in, in more where they can see where the sensitive data is located. That's sort of how we are approach this question with customers united very daunting, maybe to think about going from having no information production solution to a fully deployed solution overnight. And as you correctly pointed out in your question, yeah. Now, how do you, how do you take this a step at a time with Microsoft 365? The fact that this is data loss prevention built into teams this is built into Word, Excel, PowerPoint, Outlook SharePoint gives you as an organization, the control to start small, you know, see how you can roll out data loss prevention first, or see your insights on sensitive data first in these different repositories where data may be located and from there, and build on different policies.

And with manual data, labeling classification back to your question, you're sort of still seeing an incomplete picture, but what you can do is automate that with the automation behind the scenes, run that in sort of test mode, run that in simulation mode, see what shows up and then go from there. So that's, that's sort of one part of it. If I may, the delivery, I'd kind of extend the question a little bit to also say that, you know, the work that we've been doing, an insider risk management, where, you know, we try to think about risks from people within the, within the organization. And just to put that in context, over 90% of organizations we survey and talk to say that they are worried about insider risks, and more than 50% of those risks are inadvertent, meaning that this isn't a malicious scenario, it's just an accidental leakage of data. It's an accident, explore exposure of data.

So when you use the automation, when you use the controls that we build into Microsoft 365, and then extend across your entire digital estate, you sort of see more of the picture light up, whether that's where the data is located with our know your data products or where sensitive data is that you need to protect or data loss prevention solutions you need to put on the end point or that, or the app. So, the automation can really be a staged rollout that augments what you may be doing already with manual controls.

BHAVANESH: Rudy, I think your last few statements really hits it out of the park. The vein, which I would like to summarize this as all of your companies, initiatives are totally focused towards trying to stop the accident, oversharing and breach of data. That's how it kind of sums up in my head.

RUDRA: Yeah, that's right, Bhavy. When we're all remote, you know, it's a, it's a very interesting time. We're all working in and in these unprecedented times, not to overuse that, but it really is a scenario. We're all navigating together, but we've never seen. It's work under duress. It's working in this remote environment and we've got so many things going on, you know, just to kind of bringing at home, for me, you know, I'm, I'm juggling the kids at home you know, and trying to be productive in the work I'm doing. I'm multitasking all the time. And making a mistake with the handling of the company's data, the enterprise data, you know, it's not going to be something for me, that's potentially malicious. It's going to be an accident. And so, yes, being automated to sort of be there to help someone and catch those kinds of scenarios and protect those scenarios, that's the very likely set of scenarios where we hear the customer need and want to be there to help them with it.

BHAVANESH: What have been some of your biggest learnings throughout your career working in this particular space?

RUDRA: Oh, wow. That is a little bit of a curveball. I would say as an engineer and as a product person, if I had to pick one out, I would say that being customer driven as we've worked on these areas in sort of our solution space of compliance, or sort of broadly, as we thought about how Microsoft delivers on security and compliance and identity solutions, it's really listening to customers. It's being very customer centric in terms of what we try to achieve for them. Making sure her activity for customers is as important as a compliance security is sort of our guiding light has been probably the biggest takeaway for us.

And, it's frankly been at the center of every solution that we're trying to build, because, you know, we could try to do these things in isolation and whatnot, but, you know, just as you talked a couple of times about the situation we find ourselves in right now, listening to the customer, going back to them, asking them how they're trying to navigate this and then adapting our solutions to it, probably has been very core to what we do. And frankly, very rewarding and trying to help customers.

To learn more about this episode of the Voices of Data Protection podcast, visit: https://aka.ms/voicesofdataprotection.

For more on Microsoft Information Protection & Governance, click here.

To subscribe to the Microsoft Security YouTube channel, click here.

Follow Microsoft Security on Twitter and LinkedIn.

Keep in touch with Bhavanesh: LinkedIn

Keep in touch with Rudra: LinkedIn | Twitter

Jupyter Notebook Pivot Functions

ianhelle — Tue, 23 Feb 2021 18:19:33 GMT

We recently released a new version of MSTICPy with a feature called Pivot functions.

This feature has three main goals:

Making it easy to discover and invoke MSTICPy functionality.
Creating a standardized way to call pivotable functions.
Letting you assemble multiple functions into re-usable pipelines.

The pivot functionality exposes operations relevant to a particular entity as methods (or functions) of that entity. These operations include:

Data queries
Threat intelligence lookups
Other data lookups such as geo-location or domain resolution
and other local functionality

Here are a couple of examples showing calling different kinds of enrichment functions from the IpAddress entity:

>>> from msticpy.datamodel.entities import IpAddress, Host    
>>> IpAddress.util.ip_type(ip_str="157.53.1.1"))
    ip          result    157.53.1.1  Public     
>>> IpAddress.util.whois("157.53.1.1"))
    asn  asn_cidr  asn_country_code  asn_date    asn_description  asn_registry  nets .....    
        NA   NA        US                2015-04-01  NA               arin          [{'cidr': '157.53.0.0/16'...     >>> IpAddress.util.geoloc_mm(value="157.53.1.1"))    CountryCode  CountryName    State   City   Longitude   Latitude   Asn...    US           United States  None    None   -97.822     37.751     None...

This second example shows a pivot function that does a data query for host logon events from a Host entity.

>>> Host.AzureSentinel.list_host_logons(host_name="VictimPc")
    Account               EventID   TimeGenerated                      Computer                 SubjectUserName   SubjectDomainName
    NT AUTHORITY\SYSTEM  4624     2020-10-01 22:39:36.987000+00:00     VictimPc.Contoso.Azure      VictimPc$          CONTOSO

You can also add other functions from 3rd party Python packages or ones you write yourself as pivot functions.

Terminology

Before we get into things let's clear up a few terms.

Entities - These are Python classes that represent real-world objects commonly encountered in CyberSec investigations and hunting. E.g., Host, URL, IP Address, Account, etc.

Pivoting - This comes from the common practice in CyberSec investigations of navigating from one suspect entity to another. E.g., you might start with an alert identifying a potentially malicious IP Address, from there you 'pivot' to see which hosts or accounts were communicating with that address. From there you might pivot again to look at processes running on the host or Office activity for the account.

Background reading

This article is available in Notebook form so that you can try out the examples. [TODO]

There is also full documentation of the Pivot functionality on our ReadtheDocs page.

Life before pivot functions

Before Pivot functions your ability to use the various bits of functionality in MSTICPy was always bounded by your knowledge of where a certain function was (or your enthusiasm for reading the docs).

For example, suppose you had an IP address that you wanted to do some simple enrichment on.

ip_addr = "20.72.193.242"

First, you'd need to locate and import the functions. There might also be (as in the GeoIPLiteLookup class) some initialization step you'd need to do before using the functionality.

from msticpy.sectools.ip_utils import get_ip_type
from msticpy.sectools.ip_utils import get_whois_info
from msticpy.sectools.geoip import GeoLiteLookup
geoip = GeoLiteLookup()

Next you might have to check the help for each function to work it parameters.

>>> help(get_ip_type)
Help on function get_ip_type in module msticpy.sectools.ip_utils: 
get_ip_type(ip: str = None, ip_str: str = None) -> str    
    Validate value is an IP address and deteremine IPType category.        ...

Then finally run the functions.

>>> get_ip_type(ip_addr)
'Public'

>>> get_whois_info(ip_addr)
('MICROSOFT-CORP-MSN-AS-BLOCK, US', 
    {'nir': None,  'asn_registry': 'arin',  'asn': '8075',  'asn_cidr': '20.64.0.0/10',  'asn_country_code': 'US',  'asn_date': '2017-10-18',  'asn_description': 'MICROSOFT-CORP-MSN-AS-BLOCK, US',  'query': '20.72.193.242',  'nets': ...

>>> geoip.lookup_ip(ip_addr)
([{'continent': 
    {'code': 'NA',    'geoname_id': 6255149,    'names': 
       {'de': 'Nordamerika',     'en': 'North America',     'es': 'Norteamérica',     'fr': 'Amérique du Nord',     'ja': '北アメリカ',     'pt-BR': 'América do Norte',     'ru': 'Северная Америка',     'zh-CN': '北美洲'}},   'country': {'geoname_id': 6252001,    'iso_code': 'US',    'names': {'de': 'USA',     'en': 'United States',     'es': 'Estados Unidos',     ...

At which point you'd discover that the output from each function was somewhat raw and it would take a bit more work if you wanted to combine it in any way (say in a single table).

In the rest of the article we'll show you how Pivot functions make it easier to discover data and enrichment functions. We'll also show how pivot functions bring standardization and handle different types of input (including lists and DataFrames) and finally, how the standardized output lets you chain multiple pivot functions together into re-usable pipelines of functionality.

Getting started with pivot functions

Let's get started with how to use Pivot functions.

Typically, we use MSTICPy's init_notebook function at the start of any notebook. This handles checking versions and importing some commonly-used packages and modules (both MSTICPy and 3rd party packages like pandas).

>>> from msticpy.nbtools.nbinit import init_notebook
>>> init_notebook(namespace=globals());
Processing imports........

Then there are a couple of preliminary steps needed before you can use pivot functions. The main one is loading the Pivot class.

Pivot functions are added to the entities dynamically by the Pivot class. The Pivot class will try to discover relevant functions from queries, Threat Intel providers and various utility functions.

In some cases, notably data queries, the data query functions are themselves created dynamically, so these need to be loaded before you create the Pivot class. (You can always create a new instance of this class, which forces re-discovery, so don't worry if mess up the order of things).

Note in most cases we don't need to connect/authenticate to a data provider prior to loading Pivot.

Let's load our data query provider for AzureSentinel.

>>> az_provider = QueryProvider("AzureSentinel")
Please wait. Loading Kqlmagic extension...

Now we can load and instantiate the Pivot class.

>>> from msticpy.datamodel.pivot import Pivot
>>> pivot = Pivot(namespace=globals())

Why do we need to pass "namespace=globals()"?

Pivot searches through the current objects defined in the Python/notebook namespace to find provider objects that it will use to create the pivot functions. This is most relevant for QueryProviders - when you create a Pivot class instance it will find and use the relevant queries from the az_provider object that we created in the previous step. In most other cases (like GeoIP and ThreatIntel providers, it will create new ones if it can't find existing ones).

Easy discovery of functionality

Find the entity name you need

The simplest way to do this is simply enumerate (using Python dir() function) the contents of the MSTICPy entities sub-package. This should have already been imported by the init_notebook function that we ran earlier.

The items at the beginning of the list with proper capitalization are the entities.

>>> dir(entities)
['Account', 'Alert', 'Algorithm', 'AzureResource', 'CloudApplication', 'Dns', 'ElevationToken', 'Entity', 'File', 'FileHash', 'GeoLocation', 'Host', 'HostLogonSession', 'IpAddress', 'Malware', ...

We're going to make this a little more elegant in a forthcoming update with this helper function.

>>> entities.find_entity("ip")
Match found 'IpAddress'msticpy.datamodel.entities.ip_address.IpAddress

Listing pivot functions available for an entity

Note you can always address an entity using its qualified path, e.g. "entities.IpAddress" but if you are going to use one or two entities a lot, it will save a bit of typing if you import them explicitly.

>>> from msticpy.datamodel.entities import IpAddress, Host

Once you have the entity loaded, you can use the get_pivot_list() function to see which pivot functions are available for it. The example below has been abbreviated for space reasons.

>>> IpAddress.get_pivot_list()
['AzureSentinel.SecurityAlert_list_alerts_for_ip',
'AzureSentinel.SigninLogs_list_aad_signins_for_ip',
'AzureSentinel.AzureActivity_list_azure_activity_for_ip',
'AzureSentinel.AzureNetworkAnalytics_CL_list_azure_network_flows_by_ip',
...
'ti.lookup_ip',
'ti.lookup_ipv4',
'ti.lookup_ipv4_OTX',
...
'ti.lookup_ipv6_OTX', 
'util.whois', 
'util.ip_type', 
'util.ip_rev_resolve', 
'util.geoloc_mm', 
'util.geoloc_ips']

Some of the function names are a little unwieldy but, in many cases, this is necessary to avoid name collisions. You will notice from the list that the functions are grouped into containers: "AzureSentinel", "ti" and "util" in the above example.

Although this makes the function name even longer, we thought that this helped to keep related functionality together - so you don't get a TI lookup function, when you thought you were running a query.

Fortunately, Jupyter notebooks/IPython support tab completion so you should not normally have to remember these names.

The containers ("AzureSentinel", "util", etc.) are also callable functions - they just return the list of functions they contain.

>>> IpAddress.util()
whois functionip_type functionip_rev_resolve functiongeoloc_mm functiongeoloc_ips function

Now we're ready to run any of the functions for this entity (we take the same initial examples from the "Life before pivot functions" plus a few more).

>>> IpAddress.util.ip_type(ip_addr)

	ip	result
0	20.72.193.242	Public

>>> IpAddress.util.whois(ip_addr)

	asn	asn_cidr	asn_country_code	asn_date	asn_description	asn_registry	nets
0	8075	20.64.0.0/10	US	2017-10-18	MICROSOFT-CORP-MSN-AS-BLOCK, US	arin	[{'cidr': '20.128.0.0/16, 20.48, ...

>>> IpAddress.util.ip_rev_resolve(ip_addr)

	qname	rdtype	response	ip_address
0	20.72.193.242	PTR	The DNS query name does not exist: 20.72.193.242.	20.72.193.242

>>> IpAddress.util.geoloc_mm(ip_addr)

	CountryCode	CountryName	State	City	Longitude	Latitude	Asn	edges	Type	AdditionalData	IpAddress
0	US	United States	Washington	None	-122.3412	47.6032	None	{}	geolocation	{}	20.72.193.242

>>> IpAddress.ti.lookup_ip(ip_addr)

	Ioc	IocType	SafeIoc	QuerySubtype	Provider	Result	Severity	Details
0	20.72.193.242	ipv4	20.72.193.242	None	Tor	True	information	Not found.
0	20.72.193.242	ipv4	20.72.193.242	None	VirusTotal	True	unknown	{'verbose_msg': 'Missing IP address', 'response_code': 0}
0	20.72.193.242	ipv4	20.72.193.242	None	XForce	True	warning	{'score': 1, 'cats': {}, 'categoryDescriptions': {}, 'reason': 'Regional Internet Registry', 're...

Notice that we didn't need to worry about either the parameter name or format (more on this in the next section). Also, whatever the function, the output is always returned as a pandas DataFrame.

For Data query functions you do need to worry about the parameter name

Data query functions are slightly more complex than most other functions and specifically often support many parameters. Rather than try to guess which parameter you meant, we require you to be explicit about it.

Before we can use a data query, we need to authenticate to the provider.

>>> az_provider.connect(WorkspaceConfig(workspace="CyberSecuritySoc").code_connect_str)

If you are not sure of the parameters required by the query you can use the built-in help

>>> Host.AzureSentinel.SecurityAlert_list_related_alerts?
Signature: Host.AzureSentinel.SecurityAlert_list_related_alerts(*args, **kwargs) -> Union[pandas.core.frame.DataFrame, Any]
Docstring:
Retrieves list of alerts with a common host, account or process
Parameters
----------
account_name: str (optional)
    The account name to find
add_query_items: str (optional)
    Additional query clauses
end: datetime (optional)
    Query end time
host_name: str (optional)
    The hostname to find
path_separator: str (optional)
    Path separator    (default value is: \\)
process_name: str (optional) ...

In this case we want the "host_name" parameter.

>>> Host.AzureSentinel.SecurityAlert_list_related_alerts(host_name="victim00").head(5)

	TenantId	TimeGenerated	AlertDisplayName	AlertName	Severity	Description	ProviderName	VendorName	VendorOriginalId	SystemAlertId	ResourceId	SourceComputerId	AlertType	ConfidenceLevel	ConfidenceScore	IsIncident	StartTimeUtc	EndTimeUtc	ProcessingEndTime	RemediationSteps	ExtendedProperties	Entities	SourceSystem	WorkspaceSubscriptionId	WorkspaceResourceGroup	ExtendedLinks	ProductName	ProductComponentName	AlertLink	Status	CompromisedEntity	Tactics	Type	Computer	src_hostname	src_accountname	src_procname	host_match	acct_match	proc_match
0	8ecf8077-cf51-4820-aadd-14040956f35d	2020-12-10 09:10:08+00:00	Suspected credential theft activity	Suspected credential theft activity	Medium	This program exhibits suspect characteristics potentially associated with credential theft. Onc...	MDATP	Microsoft	da637426874826633442_-1480645585	a429998b-8a1f-a69c-f2b8-24dedde31c2d			WindowsDefenderAtp		NaN	False	2020-12-04 14:00:00+00:00	2020-12-04 14:00:00+00:00	2020-12-10 09:10:08+00:00	[\r\n "1. Make sure the machine is completely updated and all your software has the latest patc...	{\r\n "MicrosoftDefenderAtp.Category": "CredentialAccess",\r\n "MicrosoftDefenderAtp.Investiga...	[\r\n {\r\n "$id": "4",\r\n "DnsDomain": "na.contosohotels.com",\r\n "HostName": "vict...	Detection				Microsoft Defender Advanced Threat Protection		https://securitycenter.microsoft.com/alert/da637426874826633442_-1480645585	New	victim00.na.contosohotels.com	CredentialAccess	SecurityAlert	victim00	victim00			True	False	False
1	8ecf8077-cf51-4820-aadd-14040956f35d	2020-12-10 09:10:08+00:00	'Mimikatz' hacktool was detected	'Mimikatz' hacktool was detected	Low	Readily available tools, such as hacking programs, can be used by unauthorized individuals to sp...	MDATP	Microsoft	da637426874826014018_-1390662053	edb68e6d-012d-4c6b-7408-20e679fb41c8			WindowsDefenderAv		NaN	False	2020-12-04 14:00:01+00:00	2020-12-04 14:00:01+00:00	2020-12-10 09:10:08+00:00	[\r\n "1. Make sure the machine is completely updated and all your software has the latest patc...	{\r\n "MicrosoftDefenderAtp.Category": "Malware",\r\n "MicrosoftDefenderAtp.InvestigationId": ...	[\r\n {\r\n "$id": "4",\r\n "DnsDomain": "na.contosohotels.com",\r\n "HostName": "vict...	Detection				Microsoft Defender Advanced Threat Protection		https://securitycenter.microsoft.com/alert/da637426874826014018_-1390662053	New	victim00.na.contosohotels.com	Unknown	SecurityAlert	victim00	victim00			True	False	False
2	8ecf8077-cf51-4820-aadd-14040956f35d	2020-12-10 09:10:08+00:00	Malicious credential theft tool execution detected	Malicious credential theft tool execution detected	High	A known credential theft tool execution command line was detected.\nEither the process itself or...	MDATP	Microsoft	da637426874824572229_-192666782	39912e77-045b-a082-a91e-8a18958d1b1c			WindowsDefenderAtp		NaN	False	2020-12-04 14:00:00+00:00	2020-12-04 14:00:00+00:00	2020-12-10 09:10:08+00:00	[\r\n "1. Make sure the machine is completely updated and all your software has the latest patc...	{\r\n "MicrosoftDefenderAtp.Category": "CredentialAccess",\r\n "MicrosoftDefenderAtp.Investiga...	[\r\n {\r\n "$id": "4",\r\n "DnsDomain": "na.contosohotels.com",\r\n "HostName": "vict...	Detection				Microsoft Defender Advanced Threat Protection		https://securitycenter.microsoft.com/alert/da637426874824572229_-192666782	New	victim00.na.contosohotels.com	CredentialAccess	SecurityAlert	victim00	victim00			True	False	False

Shown below is a preview of a notebook tool that lets you browser around entities and their pivot functions, search for a function by keyword and view the help for that function. This is going to be released shortly.

>>> Pivot.browse()

Standardized way of calling Pivot functions

Due to various factors (historical, underlying data, developer laziness and forgetfulness, etc.) the functionality in MSTICPy can be inconsistent in the way it uses input parameters.

Also, many functions will only accept inputs as a single value, or a list or a DataFrame or some unpredictable combination of these.

Pivot functions allow you to largely forget about this - you can use the same function whether you have:

a single value
a list of values (or any Python iterable, such as a tuple or even a generator function)
a DataFrame with the input value in one of the columns.

Let's take an example.

Suppose we have a set of IP addresses pasted from somewhere that we want to use as input.

We need to convert this into a Python data object of some sort.

To do this we can use another Pivot utility %%txt2df. This is a Jupyter/IPython magic function - to use it, just paste you data in a cell that you want to import into an empty. Use

 %%txt2df --help

in an empty cell to see the full syntax.

In the example below, we specify a comma separator, that the data has a headers row and to save the converted data as a DataFrame named "ip_df".

Warning if you specify the "--name" parameter, this will overwrite any existing variable of this name.

%%txt2df --sep , --headers --name ip_df
idx, ip, type
0, 172.217.15.99, Public
1, 40.85.232.64, Public
2, 20.38.98.100, Public
3, 23.96.64.84, Public
4, 65.55.44.108, Public
5, 131.107.147.209, Public
6, 10.0.3.4, Private
7, 10.0.3.5, Private
8, 13.82.152.48, Public

	idx	ip	type
0	0	172.217.15.99	Public
1	1	40.85.232.64	Public
2	2	20.38.98.100	Public
3	3	23.96.64.84	Public
4	4	65.55.44.108	Public
5	5	131.107.147.209	Public
6	6	10.0.3.4	Private
7	7	10.0.3.5	Private
8	8	13.82.152.48	Public

For demonstration purposes, we'll also create a standard Python list from the "ip" column of the DataFrame.

>>> ip_list = list(ip_df.ip)
>>> print(ip_list)
['172.217.15.99', '40.85.232.64', '20.38.98.100', '23.96.64.84', '65.55.44.108', '131.107.147.209', '10.0.3.4', '10.0.3.5', '13.82.152.48']

How did this work before?

If you recall the earlier example of get_ip_type, passing it a list or DataFrame doesn't result in anything useful.

>>> get_ip_type(ip_list)
['172.217.15.99', '40.85.232.64', '20.38.98.100', '23.96.64.84', '65.55.44.108', '131.107.147.209', '10.0.3.4', '10.0.3.5', '13.82.152.48']
does not appear to be an IPv4 or IPv6 address
'Unspecified'

Pivot versions are (somewhat) agnostic to input data format

However, the "pivotized" version can accept and correctly process a list.

>>> IpAddress.util.ip_type(ip_list)

	ip	result
0	172.217.15.99	Public
1	40.85.232.64	Public
2	20.38.98.100	Public
3	23.96.64.84	Public
4	65.55.44.108	Public
5	131.107.147.209	Public
6	10.0.3.4	Private
7	10.0.3.5	Private
8	13.82.152.48	Public

In the case of a DataFrame, we have to tell the function the name of the column that contains the input data.

>>> IpAddress.util.whois(ip_df)  # won't work!
---------------------------------------------------------------------------
KeyError                                  Traceback (most recent call last)
<ipython-input-32-debf57d805c7> in <module>
...
    173         input_df, input_column, param_dict = _create_input_df(
--> 174             input_value, pivot_reg, parent_kwargs=kwargs
    175         )
...
KeyError: ("'ip_column' is not in the input dataframe", 
'Please specify the column when calling the function.
You can use one of the parameter names for this:', ['column', 'input_column', 'input_col', 'src_column', 'src_col'])

>>> entities.IpAddress.util.whois(ip_df, column="ip")  # correct

nir	asn_registry	asn	asn_cidr	asn_country_code	asn_date	asn_description	query	nets
NaN	arin	15169	172.217.15.0/24	US	2012-04-16	GOOGLE, US	172.217.15.99	[{'cidr': '172.217.0.0/16', 'name': 'GOOGLE', 'handle': 'NET-172-217-0-0-1', 'range': '172.217.0...
NaN	arin	8075	40.80.0.0/12	US	2015-02-23	MICROSOFT-CORP-MSN-AS-BLOCK, US	40.85.232.64	[{'cidr': '40.80.0.0/12, 40.124.0.0/16, 40.125.0.0/17, 40.74.0.0/15, 40.120.0.0/14, 40.76.0.0/14...
NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN

Note: for most functions you can ignore the parameter name and just specify it as a positional parameter. You can also use the original parameter name of the underlying function or the placeholder name "value".

The following are all equivalent:

>>> IpAddress.util.ip_type(ip_list)
>>> IpAddress.util.ip_type(ip_str=ip_list)
>>> IpAddress.util.ip_type(value=ip_list)
>>> IpAddress.util.ip_type(data=ip_list)

When passing both a DataFrame and column name use:

>>> IpAddress.util.ip_type(data=ip_df, column="col_name")

You can also pass an entity instance of an entity as a input parameter. The pivot code knows which attribute or attributes of an entity will provider the input value.

>>> ip_entity = IpAddress(Address="40.85.232.64")
>>> IpAddress.util.ip_type(ip_entity)

	ip	result
0	40.85.232.64	Public

Iterable/DataFrame inputs and single-value functions

Many of the underlying functions only accept single values as inputs. Examples of these are the data query functions - typically they expect a single host name, IP address, etc.

Pivot knows about the type of parameters that the function accepts. It will adjust the input to match the expectations of the underlying function. If a list or DataFrame is passed as input to a single-value function Pivot will split the input and call the function once for each value. It then combines the output into a single DataFrame before returning the results.

You can read a bit more about how this is done in the Appendix - "how do pivot wrappers work?"

Data queries - where does the time range come from?

The Pivot class has a built-in time range, which is used by default for all queries. Don't worry - you can change it easily.

To see the current time setting:

>>> Pivot.current.timespan
TimeStamp(start=2021-02-15 21:01:40.381864, end=2021-02-16 21:01:40.381864, period=-1 day, 0:00:00)

Note: "Pivot.current" gives you access to the last created instance of the Pivot class - if you've created multiple instances of Pivot (which you rarely need to do), you can always get to the last one you created using this class attribute.

You can edit the time range interactively

Pivot.current.edit_query_time()

Or by setting the timespan property directly.

>>> from msticpy.common.timespan import TimeSpan
>>> # TimeSpan accepts datetimes or datestrings
>>> timespan = TimeSpan(start="02/01/2021", end="02/15/2021")
>>> Pivot.current.timespan = timespan
TimeStamp(start=2021-02-01 00:00:00, end=2021-02-15 00:00:00, period=-14 days +00:00:00)

In an upcoming release there is also a convenience function for setting the time directly with Python datetimes or date strings.

Pivot.current.set_timespan(start="2020-02-06 03:00:00", end="2021-02-15 01:42:42")

You can also override the built-in time settings by specifying start and end as parameters to the query function.

Host.AzureSentinel.SecurityAlert_list_related_alerts(host_name="victim00", start=dt1, end=dt2)

Supplying extra parameters

The Pivot layer will pass any unused keyword parameters to the underlying function. This does not usually apply to positional parameters - if you want parameters to get to the function, you have to name them explicitly. In this example the add_query_items parameter is passed to the underlying query function

>>> entities.Host.AzureSentinel.SecurityEvent_list_host_logons(
        host_name="victimPc",
        add_query_items="| summarize count() by LogonType"
    )

	LogonType	count_
0	5	27492
1	4	12597
2	3	6936
3	2	173
4	10	58
5	9	8
6	0	19
7	11	1

Pivot Pipelines

Because all pivot functions accept DataFrames as input and produce DataFrames as output, it means that it is possible to chain pivot functions into a pipeline.

Joining input to output

You can join the input to the output. This usually only makes sense when the input is a DataFrame. It lets you keep the previously accumulated results and tag on the additional columns produced by the pivot function you are calling.

The join parameter supports "inner", "left", "right" and "outer" joins (be careful with the latter though!) See pivot joins documentation for more details.

Although joining is useful in pipelines you can use it on any function whether in a pipeline or not. In this example you can see that the idx, ip and type columns have been carried over from the source DataFrame and joined with the output.

>>> entities.IpAddress.util.whois(ip_df, column="ip", join="inner")

idx	ip	type	nir	asn_registry	asn	asn_cidr	asn_country_code	asn_date	asn_description	query	nets
0	172.217.15.99	Public	NaN	arin	15169	172.217.15.0/24	US	2012-04-16	GOOGLE, US	172.217.15.99	[{'cidr': '172.217.0.0/16', 'name': 'GOOGLE', 'handle': 'NET-172-217-0-0-1', 'range': '172.217.0...
1	40.85.232.64	Public	NaN	arin	8075	40.80.0.0/12	US	2015-02-23	MICROSOFT-CORP-MSN-AS-BLOCK, US	40.85.232.64	[{'cidr': '40.80.0.0/12, 40.124.0.0/16, 40.125.0.0/17, 40.74.0.0/15, 40.120.0.0/14, 40.76.0.0/14...
2	20.38.98.100	Public	NaN	arin	8075	20.36.0.0/14	US	2017-10-18	MICROSOFT-CORP-MSN-AS-BLOCK, US	20.38.98.100	[{'cidr': '20.64.0.0/10, 20.40.0.0/13, 20.34.0.0/15, 20.128.0.0/16, 20.36.0.0/14, 20.48.0.0/12, ...

Pipelines

Pivot pipelines are implemented pandas customr accessors. Read more about Extending pandas here.

When you load Pivot it adds the mp_pivot pandas DataFrame accessor. This appears as an attribute to DataFrames.

>>> ips_df.mp_pivot
<msticpy.datamodel.pivot_pd_accessor.PivotAccessor at 0x275754e2208>

The main pipelining function run is a method of mp_pivot. run requires two parameters

the pivot function to run and
the column to use as input.

See mp_pivot.run documentation for more details.

Here is an example of using it to call four pivot functions, each using the output of the previous function as input and using the join parameter to accumulate the results from each stage.

1. (
2.     ips_df
3.     .mp_pivot.run(IpAddress.util.ip_type, column="IP", join="inner")
4.     .query("result == 'Public'").head(10)
5.     .mp_pivot.run(IpAddress.util.whois, column="ip", join="left")
6.     .mp_pivot.run(IpAddress.util.geoloc_mm, column="ip", join="left")
7.     .mp_pivot.run(IpAddress.AzureSentinel.SecurityAlert_list_alerts_for_ip, source_ip_list="ip", join="left")
8. ).head(5)

Let's step through it line by line.

The whole thing is surrounded by a pair of parentheses - this is just to let us split the whole expression over multiple lines without Python complaining.
Next we have ips_df - this is just the starting DataFrame, our input data.
Next we call the mp_pivot.run() accessor method on this dataframe. We pass it the pivot function that we want to run (IpAddress.util.ip_type) and the input column name (IP). This column name is the column in ips_df where our input IP addresses are. We've also specified an join type of "inner". In this case the join type doesn't really matter since we know we get exactly one output row for every input row.
We're using the pandas query function to filter out unwanted entries from the previous stage. In this case we only want "Public" IP addresses. This illustrates that you can intersperse standard pandas functions in the same pipeline. We could have also added a column selector expression ([["col1", "col2"...]]), for example, if we wanted to filter the columns passed to the next stage
We are calling a further pivot function - whois. Remember the "column" parameter always refers to the input column, i.e. the column from previous stage that we want to use in this stage.
We are calling geoloc_mm to get geo location details joining with a "left" join - this preserves the input data rows and adds null columns in any cases where the pivot function returned no result.
Is the same as 6 except the called function is a data query to see if we have any alerts that contain these IP addresses. Remember, in the case of data queries we have to name the specific query parameter that we want the input to go to. In this case, each row value in the ip column from the previous stage will be sent to the query.
Finally we close the parentheses to form a valid Python expression. The whole expression returns a DataFrame so we can add further pandas operations here (like .head(5) shown here).

>>> (
       ips_df
       .mp_pivot.run(entities.IpAddress.util.ip_type, column="IP", join="inner")
       .query("result == 'Public'").head(10)
       .mp_pivot.run(entities.IpAddress.util.whois, column="ip", join="left")
       .mp_pivot.run(entities.IpAddress.util.geoloc_mm, column="ip", join="left")
       .mp_pivot.run(entities.IpAddress.AzureSentinel.SecurityAlert_list_alerts_for_ip, source_ip_list="ip", join="left")
   ).head(5)

	TenantId	TimeGenerated	AlertDisplayName	AlertName	Severity	Description	ProviderName	VendorName	VendorOriginalId	SystemAlertId	AlertType	ConfidenceLevel
0	8ecf8077-cf51-4820-aadd-14040956f35d	2020-12-23 14:08:12+00:00	Microsoft Threat Intelligence Analytics	Microsoft Threat Intelligence Analytics	Medium	Microsoft threat intelligence analytic has detected Blocked communication to a known WatchList d...	Threat Intelligence Alerts	Microsoft	91d806d3-6b6f-4e5c-a78f-e674d602be51	625ff9af-dddc-0cf8-9d4b-e79067fa2e71	ThreatIntelligence	83
1	8ecf8077-cf51-4820-aadd-14040956f35d	2020-12-23 14:08:12+00:00	Microsoft Threat Intelligence Analytics	Microsoft Threat Intelligence Analytics	Medium	Microsoft threat intelligence analytic has detected Blocked communication to a known WatchList d...	Threat Intelligence Alerts	Microsoft	173063c4-10dd-4dd2-9e4f-ec5ed596ec54	c977f904-ab30-d57e-986f-9d6ebf72771b	ThreatIntelligence	83
2	8ecf8077-cf51-4820-aadd-14040956f35d	2020-12-23 14:08:12+00:00	Microsoft Threat Intelligence Analytics	Microsoft Threat Intelligence Analytics	Medium	Microsoft threat intelligence analytic has detected Blocked communication to a known WatchList d...	Threat Intelligence Alerts	Microsoft	58b2cda2-11c6-42b8-b6f1-72751cad8f38	9ee547e4-cba1-47d1-e1f9-87247b693a52	ThreatIntelligence	83

Other pipeline functions

In addition to run, the mp_pivot accessor also has the following functions:

display - this simply displays the data at the point called in the pipeline. You can add an optional title, filtering and the number or rows to display
tee - this forks a copy of the DataFrame at the point it is called in the pipeline. It will assign the forked copy to the name given in the var_name parameter. If there is an existing variable of the same name it will not overwrite it unless you add the clobber=True parameter.

In both cases the pipelined data is passed through unchanged.

See Pivot functions help for more details.

Use of these is shown below in this partial pipeline.

    ...
    .mp_pivot.run(IpAddress.util.geoloc_mm, column="ip", join="left")
    .mp_pivot.display(title="Geo Lookup", cols=["IP", "City"])  # << display an intermediate result
    .mp_pivot.tee(var_name="geoip_df", clobber=True)  # << save a copy called 'geoip_df'
    .mp_pivot.run(IpAddress.AzureSentinel.SecurityAlert_list_alerts_for_ip, source_ip_list="ip", join="left")

In the next release we've also implemented:

tee_exec - this executes a function on a forked copy of the DataFrame The function must be a pandas function or custom accessor. A good example of the use of this might be creating a plot or summary table to display partway through the pipeline.

Extending Pivot - adding your own (or someone else's) functions

You can add pivot functions of your own. You need to supply:

the function
some metadata that describes where the function can be found and how the function works

Full details of this are described here.

The current version of Pivot doesn't let you add functions defined inline (i.e. written in the notebook itself) but this will be possible in the forthcoming release.

Let's create a function in a Python module my_module.py. We can do this using the %%write_file magic function and running the cell.

%%writefile my_module.py
"""Upper-case and hash"""
from hashlib import md5

def my_func(input: str):
    md5_hash = "-".join(hex(b)[2:] for b in md5(input.encode("utf-8")).digest())
    return {
        "Title": input.upper(),
        "Hash": md5_hash
    }

We also need to create a YAML definition file for our pivot function. Again we can use %%write_file to create a local file in the current directory. We need to tell Pivot

the name of the function and source module,
the name of the container that the function will appear in,
the input type expected by the function ("value", "list" or "dataframe")
which entities to add the pivot to, along with a corresponding attribute of the entity. (The attribute is used in cases where you are passing an instance of an entity itself as an input parameter - if in doubt just use any valid attribute of the entity).
The name of the input attribute of the underlying function.
An (optional) new name to give the function.

%%writefile my_func.yml
pivot_providers:
  my_func_defn:
    src_func_name: my_func
    src_module: my_module
    entity_container_name: cyber
    input_type: value
    entity_map:
      Host: HostName
    func_input_value_arg: input
    func_new_name: upper_hash_name

Now we can register the function we created as a pivot function.

>>> from msticpy.datamodel.pivot_register_reader import register_pivots
>>> register_pivots("my_func.yml")

An then run it.

>>> Host.cyber.upper_hash_name("host_name")

	Title	Hash	input
0	HOST_NAME	5d-41-40-2a-bc-4b-2a-76-b9-71-9d-91-10-17-c5-92	host_name

In the next release, this will be available as a simple function that can be used to add a function defined in the notebook as shown here.

from hashlib import md5

def my_func2(input: str):
    md5_hash = "-".join(hex(b)[2:] for b in md5(input.encode("utf-8")).digest())
    return {
        "Title": input.upper(),
        "Hash": md5_hash
    }


Pivot.add_pivot_function(
    func=my_func2,
    container="cyber",  # which container it will appear in on the entity
    input_type="value",
    entity_map={"Host": "HostName"},
    func_input_value_arg="input",
    func_new_name="il_upper_hash_name",
)

Host.cyber.il_upper_hash_name("host_name")

	Title	Hash	input
0	HOST_NAME	5d-41-40-2a-bc-4b-2a-76-b9-71-9d-91-10-17-c5-92	host_name

Conclusion

We've taken a short tour through the MSTICPy Pivot functions, looking at how they make the functionality in MSTICPy easier to discover and use.

I'm particularly excited about the pipeline functionality. In the next release we're going to make it possible to define reusable pipelines in configuration files and execute them with a single function call. This should help streamline some common patterns in notebooks for Cyber hunting and investigation.

Please send any feedback or suggestions for improvements to msticpy@microsoft.com or create an issue on https://github.com/microsoft/msticpy.

Happy hunting!

Appendix - how do pivot wrappers work?

In Python you can create functions that return other functions. This is called wrapping the function.

It allows the outer function to do additional things to the input parameters and the return value of the inner function.

Take this simple function that just applies proper capitalization to an input string.

def print_me(arg):
    print(arg.capitalize())

print_me("hello")

Hello

If we try to pass a list to this function we get an expected exception since the function only knows how to process a string

print_me(["hello", "world"])
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-36-94b3e61eb86f> in <module>
…
AttributeError: 'list' object has no attribute 'capitalize'

We could create a wrapper function that checked the input and iterated over the individual items if arg is a list. The works but we don't want to have to do this for every function that we want to have flexible input!

def print_me_list(arg):
    if isinstance(arg, list):
        for item in arg:
            print_me(item)
    else:
        print_me(arg)

print_me_list("hello")
print_me_list(["how", "are", "you", "?"])

Hello

How

Are

You

Instead, we can create a function wrapper.

In the example below, the outer function dont_care_func defines an inner function - list_or_str - and then returns this function. The inner function list_or_str is what implements the same "is-this-a-string-or-list" logic that we saw in the previous example. Crucially though, it isn't hard-coded to call print_me but calls whatever function is passed (the func parameter) to it from the outer function dont_care_func.

# Our magic wrapper
def dont_care_func(func):

    def list_or_str(arg):
        if isinstance(arg, list):
            for item in arg:
                func(item)
        else:
            func(arg)
    return list_or_str

How do we use this?

We simply pass the function that we want to wrap to dont_care_func. Recall, that this function just returns an instance of the inner function. In this case the value func will have been replaced by the actual function print_me.

 print_stuff = dont_care_func(print_me)

Now we have a wrapped version of print_me that can handle different types of input. Magic!

print_stuff("hello")
print_stuff(["how", "are", "you", "?"])

Hello

How

Are

You

We can also define further functions and create wrapped versions of those by passing them to dont_care_func.

def shout_me(arg):
    print(arg.upper(), "\U0001F92C!", end=" ") 

shout_stuff = dont_care_func(shout_me)

shout_stuff("hello")
shout_stuff(["how", "are", "you", "?"])

HELLO 🤬! HOW 🤬! ARE 🤬! YOU 🤬! ? 🤬!

The wrapper functionality in Pivot is a bit more complex than this but essentially operates this way.

Windows Server and SQL Server at Ignite 2021

diannamarks — Fri, 26 Feb 2021 16:30:28 GMT

Next steps

Thank you for being part of the Windows Server and SQL Server community and watching our session at Ignite! Here are some ways you can accelerate your digital transformation:

Take advantage of Azure Hybrid Benefit
Visit Azure Migrate to ease your journey to Azure
Try Azure Automanage preview
Try Windows Admin Center in Azure preview

Also, don’t forget to check out more resources below!

Training Videos

Windows Server

Windows Server on the Microsoft Azure YouTube Channel

Tech Community Video Hub

Automanage Skilling Video

SQL Server

Azure for Beginners video series

Automate management with the SQL Server IaaS Agent extension - YouTube

Blogs

Windows Server

Stay up to date on the latest news, product updates and announcements on the Windows Server blog channel.

SQL Server

Always Encrypted with secure enclaves in Azure SQL Database preview

Rehost your SQL Server to Azure Virtual Machines for manageability and cost optimization

Tech Community

Windows Server

Share best practices, get the latest news and learn from experts about Windows Server here

SQL Server

SQL Server - Microsoft Tech Community

Azure SQL Tech Community

Documentation

Windows Server

Check out the plethora of official technical documentation, questions, and learning resources on the Windows Server Docs page.

SQL Server

Azure SQL documentation

Events

Check out our recent events such as the Hybrid Event by ITOps Talk on February 2^nd and more on the Microsoft Events Catalog.

Watch our recent webinar Maximize your Windows and SQL Server Investments.

Microsoft Learn

Explore Windows Server and SQL Server guided learning paths or how to accomplish a specific task through individual modules.

Windows Server Learning Paths

Azure SQL Learning Paths

Partner Network

Equip yourself with partner resources such as demos, readiness materials, offers, and more to be the best partner you can be for your Windows Server customers.

Plan your Microsoft Azure experience at Microsoft Ignite

Mark Winters — Wed, 24 Feb 2021 18:32:26 GMT

Microsoft Ignite, our free digital event, starts next week and runs from March 2-4, 2021. We thought you might be interested to learn ways you can plan to experience the power of Microsoft Azure and connect with your worldwide data, infrastructure, applications, and hybrid communities like never before. Attendees will learn about new innovations, speak with Microsoft experts from around the globe, and continue your technical learning journey.

Create the perfect event schedule
Explore the session catalog to find expert speakers, interactive sessions, and more. After registering, get started on your journey at myignite.microsoft.com/sessions.

Below are seven featured sessions on Microsoft Azure you can’t miss:

Follow #MSIgnite

Explore the latest event news, trending topics, and share your point of view in real time with your community. Join us on Twitter and LinkedIn by using #MSIgnite.

Join today >

Connection Zone

Only at #MSIgnite will you meet the engineers and partners who build and maintain our tools and get the answers to your toughest technical questions. Register for an Ask the Expert session at #MSIgnite.

Connect today >

Learning Zone

The Learning Zone is the center for training, development, and certification with Microsoft. Whatever your style of learning happens to be, you can find content and interactive opportunities to boost and diversify your cloud skills.

Explore today >

One-on-one consultation

Schedule your 45-minute, one-on-one consultation with Microsoft Azure experts in infrastructure, data and AI, and application development.

Schedule today >

Continue your learning journey

Find your way to deeper content, training options, communities, and certification details across all Microsoft cloud solutions from one place.

Start exploring >

Azure portal January 2021 update

Ariya_Khamvongsa — Tue, 23 Feb 2021 17:23:32 GMT

Other> Azure Resource Mover

Multi-level dependency analysis
Encrypted VM support
Health monitoring & auto-resolve for VMs

Other>Azure Cloud Services (extended support)

Cloud Services (extended support) is now available in public preview in Azure portal

Intune

Updates to Microsoft Intune

  Let’s look at each of these updates in greater detail.

Other> Azure Resource Mover

Multi-level dependency analysis

Responding to feedback, we have added an enhancement to the dependency analysis feature where users can now choose to do multi-level dependency analysis and be able to identify all dependencies in one go. This reduces the number of validation steps and makes identifying dependencies during large scale move seamless.

Users still have the option to choose between the multi-level & single level dependencies based on whether you want to assign resources in the destination at any point, and do not want the service to create all the resources till the last node.

Encrypted VM support
Customers, from various verticals, such as Banking, Financial services or Healthcare have sensitive data which they have encrypted using keys or certificates in key vaults. Resource Mover now supports moving VMs encrypted with Azure Disk Encryption and VMs with Service Side Encryption (SSE) enabled using Customer Managed Keys (CMK).

Resolve dependencies will now show Disk Encryption Set (DES) & Key vault as dependencies based on encryption type.

Users need to copy the keys to the destination key vault for VMs encrypted with ADE with a script provided, and create a new DES VMs with SSE enabled using CMK. Afterwards, you can assign destination resources – for Key vault & DES.

Health monitoring & auto-resolve for VMs
Health monitoring for Virtual Machines will monitor the VM replication health once ‘Prepare’ is triggered. This involves copying of delta changes for the time between VM is ready to move and customer initiating the VM move. A health error, which shows up in ‘Issues’ for a VM if the last copy of the delta changes was created more than 60 mins.

After making edits to a destination configuration, user can now choose to Save changes or Save and validate dependencies. Save changes is selected if you want to edit other resources also, and want to validate everything together. Save and validate is selected if you want to understand the impact this has on other resources before you proceed. This avoids user having to click on validate dependencies later.

Other>Cloud Services (extended support)

Cloud Services (extended support) is now available in public preview in Azure portal

Cloud Services (extended support) is now available in public preview. It is a new Azure Resource Manager (ARM) based deployment model for Azure Cloud Services. Cloud Services (extended support) has the primary benefit of providing regional resiliency along with feature parity with Azure Cloud Services deployed using Azure Service Manager (ASM). It also offers some ARM capabilities such as role-based access and control (RBAC), tags, policy, and supports deployment templates.

You can follow the instructions to Deploy a Azure Cloud Services (extended support) using the Azure portal.

INTUNE

Updates to Microsoft Intune

The Microsoft Intune team has been hard at work on updates as well. You can find the full list of updates to Intune on the What's new in Microsoft Intune page, including changes that affect your experience using Intune.

Azure portal “how to” video series

Have you checked out our Azure portal “how to” video series yet? The videos highlight specific aspects of the portal so you can be more efficient and productive while deploying your cloud workloads from the portal. Check out our most recently published videos:

Next Steps

The Azure portal has a large team of engineers that wants to hear from you, so please keep providing us your feedback in the comments section below or on Twitter @AzurePortal.

Sign in to the Azure portal now and see for yourself everything that’s new. Download the Azure mobile app to stay connected to your Azure resources anytime, anywhere. See you next month!

New blog articles in Products

Customer Offerings:Device Protection w/ Microsoft Endpoint Manager & Microsoft Defender for Endpoint

Announcing the preview of Zone Redundant Storage (ZRS) option for Azure managed disks

Use ZRS disks for legacy applications to achieve better availability

Use ZRS with shared disks

Use ZRS disks to achieve zero RPO

Pricing and performance

Get started

SAP on Azure General Update – February 2021

1. Hotnews : Updates to SAP on Azure Documentation

2. New Azure Monitoring Agent

3. Tuning for SIOS LifeKeeper on Oracle Linux

4. Recommended Blogs for SAP on Azure Customers & Consultants

5. SQL Server 2019 CU8 Distributed Network Name

6. Running Oracle on Azure NetApp Files

7. SUSE Linux 15 Service Pack 2 – Remove Mount Option NOBARRIER

8. Update on Support Matrix for SAP on Azure

9. New Azure Monitor Counters – Guest VM Throttling

Additional Links & Notes

What’s New in Azure Disk Storage at Microsoft Ignite 2021

Application Troubleshooting - Stateless/Stateful Services Cannot Be Started In Service Fabric

Troubleshooting 4xx and 5xx Errors with Azure APIM services

Troubleshooting:

Troubleshooting:

Troubleshooting:

Troubleshooting 4xx and 5xx Errors with Azure APIM services

[UI Only] Event Trigger Renamed to Storage Event Trigger

Delivering an even better Redis experience on Azure

What’s in the box?

Active Geo-Replication

Increased Availability

Redis Modules + Redis 6.0

Learn More

What’s new in Azure AD at Microsoft Ignite Spring 2021

AzureRM will retire by 29 February 2024

Looking back

How do I migrate?

Products and services using AzureRM

Next steps

Universal Print ready printers by Epson

February Project Update Blog

Microsoft Project Trivia!

Reimagine Project Management with Microsoft

New Features

Upcoming Features

FAQ:

Microsoft Endpoint Manager at Microsoft Ignite: March 2021 edition

Core sessions

Spotlight on the future of work

Engineer to engineer: let's talk Windows!

On-demand sessions

Ask the Experts

Microsoft Edge

Windows & Devices

Depth on demand

Endpoint management deep dives – Q&A in March

Learn more

Stay informed

Remotely run DDL and DML in Synapse from a SQL Managed Instance using Linked Servers

WinObj v3.01

Get insights on application reliability and device restart frequency with Endpoint analytics

10 Reasons to Love Passwordless #8: You won’t get phished!

PolyBase error - 100001;Failed to generate query plan.

Azure Marketplace new offers – Volume 118

Applications

Consulting services

SharePoint Roadmap Pitstop: February 2021

Add up to 25 embedded, editable labels to your tasks

Implement hybrid and multicloud with Cloud Adoption Framework

Unlock flexibility, agility, and scale with hybrid and multicloud

Address hybrid and multicloud needs with unified operations

Get started with implementing hybrid and multicloud?

More hybrid and multicloud learning resources

Troubleshooting connectivity to Blob Storage using Azure Storage Explorer with Private Endpoint

MySQL 8.0.21, Zone placement, and IOPs scaling now available in Flexible Server!!!

MySQL 8.0.21 now available in Flexible Server

Zone Placement – Specify your preferred Availability zone during server creation

Scale IOPs independently of the storage provisioned

Known issues and what’s next

Leveraging Storage Analytics Logs to analyze who accessed the Storage Account