Step-By-Step: Creating an Azure Point-to-Site VPN
Site-to-Site VPN is the most common method organizations use to connect on-premises network to Azure vNet. This VPN connection is initiated in your edge firewall or router level. But what if you connecting from remote location such as home? We can use point-to-site method to do that. In this method it will use certificates to do the authentication between end point and azure virtual network.Step-by-Step: How to work with Group Managed Service Accounts (gMSA)
Services Accounts are recommended to use when install application or services in infrastructure. It is dedicated account with specific privileges which use to run services, batch jobs, management tasks. In most of the infrastructures, service accounts are typical user accounts with “Password never expire” option. Since these service accounts are not been use regularly, Administrators have to keep track of these accounts and their credentials. I have seen in many occasions where engineers face in to issues due to outdated or misplace service account credential details. Pain of it is, if you reset the password of service accounts, you will need to update services, databases, application settings to get application or services up and running again. Apart from it Engineers also have to manage service principle names (SPN) which helps to identify service instance uniquely.Step-by-Step: Blocking Data Downloads via Microsoft Cloud App Security
By using Azure AD conditional access policies, we can define who have access to what applications from where. This is purely control the access to your app. Microsoft Cloud App Security (MCAS) allow us to extend these capabilities further into session level. Using MCAS, we can examine each session to the app in real-time to protect information further.PowerShell Basics: How to Troubleshoot Active Directory Replication Issues
There are certain windows cmdlets and utilities which we can use for replication issues troubleshooting purpose. Among those, Repadmin.exe is most commonly used Microsoft utility. This is available in servers which have AD DS or AD LDS role installed. It is also part of Remote Server Administration Tools (RSAT). This utility recommended to run as Domain Administrator or Enterprise Administrator. However, it is also possible to delegate permission only to review and manage replication. This posts will share the steps to make this happen via PowerShell.How to Migrate Active Directory from Windows Server 2012 R2 to 2019
Windows Server 2019 was available for public (GA) from early October 2018. In past i have written many articles about domain migrations by covering different Active Directory versions. So, it is time me to write about AD 2019 migrations. In this demo I am going to demonstrate how to migrate from Active Directory 2012 R2 to Active Directory 2019. The same procedure is going to apply for any AD version from Windows Server 2008.Step-by-Step: How to update an Azure Linux VM using Update management
Operating system updates include feature updates, bug fixes, and security improvements and are important to update periodically. This applies to desktop computers as well as servers. There are many tools available to manage the Windows update process. When it comes to Linux however, most struggle as few tools support Linux system updates. Luckily in Azure, we can manage updates for Linux VMs without any 3rd party tool. This post will detail steps on how to enable patch management for Linux VM and how we can automate the patch deployment task.Step-by-Step: Managing Groups via Azure Active Directory PowerShell for Graph module
In my previous blog post, I explained how we can manage Azure AD users by using Azure Active Directory PowerShell for Graph module. In there I also shared many examples. You can access it via https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-by-Step-Managing-Users-via-the-Azure-Active-Directory/ba-p/961128 In this blog post I am going to show how we can manage Groups, using same method. Azure AD Groups also works similar to on-premises AD groups. It can use to manage permissions in effective manner. In Hybrid environment there will be cloud-only groups as well as synced groups from on-premises AD environment. In this section we are going to look in to group management using Azure Active Directory PowerShell for Graph module. Let’s start with listing groups. We can search for a group using, Get-AzureADGroup -SearchString "sg" In above command, SearchString is used to define the search criteria. Above example will list down any group containing “sg” in Display name field. In search result, we can see the objectId for the group. Once we know the ObjectId, we can see the details of the group using, Get-AzureADGroup -ObjectId 93291438-be19-472e-a1d6-9b178b7ac619 | fl In hybrid environment, there will be security groups which is synced from on-premises Active Directory. We can filter this groups using, Get-AzureADGroup -Filter 'DirSyncEnabled eq true' | select ObjectId,DisplayName,LastDirSyncTime In above example, LastDirSyncTime column display the last successful sync time of the group. We can filter cloud-only groups using, Get-AzureADGroup -All $true | where-Object {$_.OnPremisesSecurityIdentifier -eq $null} In preceding command, we are using attribute OnPremisesSecurityIdentifier to filter the groups. This attribute only has value if it is synced from on-premises AD. We can view group memberships by using, Get-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a In above command, we are using ObjectId to uniquely identify the group. We can add members to group using Add-AzureADGroupMember cmdlet. Add-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a -RefObjectId a6aeced9-909e-4684-8712-d0f242451338 In preceding command, ObjectId value represent the group and RefObjectId value represent the user. We can remove a member from group by using, Remove-AzureADGroupMember -ObjectId 2a11d5ee-8383-44d1-9fbd-85cb4dcc2d5a -MemberId a6aeced9-909e-4684-8712-d0f242451338 In preceding command, ObjectId value represent the group and MemberId value represent the user’s Object Id. We also can combine Add-AzureADGroupMember cmdlet with Get-AzureADUser cmdlet to add bulk users to a group. In below script, I used Get-AzureADUser cmdlet to search users in Marketing Department. Then used Add-AzureADGroupMember to add those users to Sales group as members. #######Script to Add Multiple users to Security Group############# Import-Module AzureAD Connect-AzureAD ##### Search for users in Marketing Department ########## Get-AzureADUser -All $true -Filter "Department eq 'Marketing'" | select ObjectId | Out-File -FilePath C:\salesusers.txt #####Add Users to Sales Group######### (Get-Content "C:\salesusers.txt" | select-object -skip 3) | ForEach { Add-AzureADGroupMember -ObjectId f9f51d29-e093-4e57-ad79-2fc5ae3517db -RefObjectId $_ } In hybrid environment, the security groups are mainly synced from on-premises AD. But there can be requirements for cloud-only groups as well. We can create cloud-only group by using, New-AzureADGroup -DisplayName "REBELADMIN Sales Team" -MailEnabled $false -MailNickName "salesteam" -SecurityEnabled $true Preceding command creates a security group called "REBELADMIN Sales Team". This group is not a mail enabled group. We can remove Azure AD group using, Remove-AzureADGroup -ObjectId 7592b555-343d-4f73-a6f1-2270d7cf014f In above, Object ID value defines the group. Apart from security groups, Azure AD also have predefined administrative roles which can use to assign access permissions to Azure AD and other cloud services. There are more than 35 predefined administrative roles. Each of role have their own set of permissions. More details about this roles can find in https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles We can list down all the administrative roles using, Get-AzureADDirectoryRoleTemplate By default, only few administrative roles are enabled. We can list these roles using, Get-AzureADDirectoryRole Company Administrator directory role represent the Azure AD Global Administrators. We can enable Administrative role using, Enable-AzureADDirectoryRole -RoleTemplateId e6d1a23a-da11-4be4-9570-befc86d067a7 In above command, RoleTemplateId value represent the Administrative Role. We can assign administrative role to a user by using, Add-AzureADDirectoryRoleMember -ObjectId b63c1671-625a-4a80-8bae-6487423909ca -RefObjectId 581c7265-c8cc-493b-9686-771b2f10a77e In preceding command, ObjectId value represent the Administrative Role. RefObjectId is the object id value of the user. We can list down members of Administrative role using, Get-AzureADDirectoryRoleMember -ObjectId 36b9ac02-9dfc-402a-8d44-ba2d8995dc06 In above command, ObjectId represent the Administrative role. We can remove a member from the role using, Remove-AzureADDirectoryRoleMember -ObjectId 36b9ac02-9dfc-402a-8d44-ba2d8995dc06 -MemberId 165ebcb7-f07d-42d2-a52e-90f44e71e4a1 In preceding command, MemberId is equal to user’s object id value.
