User Profile
pazdedav
MVP
Joined 10 years ago
User Widgets
Recent Discussions
Re: Azure Governance Tools Policies, Blueprints, and Role-Based Access Control (RBAC)
Good summary, JohnNaguib . I was just wondering if it makes sense to reference Azure Blueprints, since they are on the deprecation path and should be replaced with Template Specs and Deployment Stacks.64Views1like1CommentRe: running python script on azure pipeline and storing output
Hi rekha7, There is a set of predefined variables in Azure Pipelines, one being System.DefaultWorkingDirectory. This is where the code from your repository is stored on an agent. You can find more info about those variables and how to use them here. In general, there are several ways how you can persist an output from your pipeline run: save it as pipeline artifact, so you can retrieve it at a later time use a cloud storage service and its CLI commands to persist it there, e.g. Azure Blob Storage. A useful blog post on how to do it here. store your file in the source git repository. Keep in mind, when the pipeline run is over, the agent and anything stored in its filesystem gets wiped, so just storing it in the filesystem would not persist the data.8.9KViews0likes0CommentsRe: Spending limit for users
Hi Mika, As far as I know, there still isn't a "native" way to enable spending limits per user. And to be clear, I don't represent Microsoft or even the Cost Management PG, I'm just a community member like you trying to help and provide ideas or workarounds. The workaround I described earlier could still work but it requires a specific way of assigning RBAC roles and setting up budgets and budget alerts.3.3KViews2likes1CommentRe: Azure Banned password list automation
I am afraid there isn't an API available to manage 'password protection' and specifically custom banned password list (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#custom-banned-password-list).2.6KViews0likes0CommentsRe: Azure subscription transfer
Hi rangawickramasekara, You are actually transferring your subscription to a different AAD tenant, not the other way around. Since there can only be one "authoritative" AAD directory per Azure subscription, it is not possible to transfer "role assignments". What you could do instead, is: export current role assignments with 'security principals' (users, groups, SPNs, MIs), roles, and scopes map those original security principals with their "representatives" in the new tenant prepare a script (or a template) that will populate the RBAC with those role assignments as a bulk operation to minimize any disruptions this transfer may cause There is a comprehensive guide about the transfer with recommended workflow: Transfer an Azure subscription to a different Azure AD directory | Microsoft Docs2.4KViews1like2CommentsRe: Execute script on Azure Windows VM via Azure pipeline
Hi sag007, There are several ways you could accomplish what you want: 1. Custom script VM extension - you could deploy a custom script VM extension as part of your VM provisioning (assuming you are using CLI, PowerShell, ARM/Bicep template or similar IaC tool for infra provisioning). You would add such an extension as a 'child resource' to your VM declaration. When the VM is fully up and running, this extension could trigger a PSH script to download and install your tool. Azure Custom Script Extension for Windows - Azure Virtual Machines | Microsoft Docs 2. State configuration - a feature of Azure Automation that is using PowerShell DSC to declare the 'desired state' of your VM. This indeed could be used as well, but it requires a bit of extra knowledge and steps to set it up, if you are not familiar with DSC. Azure Automation State Configuration overview | Microsoft Docs 3. Azure VM Run command - there is also a way to trigger an imperative command from "anywhere" (through the Azure Resource Manager API / control plane) without a need to either expose the VM to the Internet using a public IP or requiring a private connectivity for e.g., PowerShell Remoting. You could run this command from your pipeline agent. Run scripts in a Windows VM in Azure using action Run Commands - Azure Virtual Machines | Microsoft Docs Depending where you could store the binary file (the tool) and the script, you might need to solve the topic of getting those files to the VM, e.g. by using a custom VM image and "bake the files" into the image, or storing the files in Azure Blob. Hope it helps.17KViews0likes0CommentsRe: Azure Policy - Find Ressources without Tags
Hi Phil123 I assume you are not looking for a particular tag key and/or values but you want the policy to audit all resources that have no tags. If that is true, then you are right, there isn't any built-in policy for that! I created a custom policy with indexed mode and used the following policy rule: "policyRule": { "if": { "field": "tags", "exists": "false" }, "then": { "effect": "audit" } } }, Based on my tests, it did show correctly all resources in my subscription, where I haven't applied any tags. Please try it out 🙂8.4KViews1like0CommentsRe: Azure standardized template for new user's profile
Hi Czacholio , I assume your scenario is about Windows clients (W10 or W11) and you are primarily working with physical PCs (laptops, desktops). For a long time, there was a technology called Roaming profiles that together with Group Policies were able to solve what you described. Roaming profiles is no longer something I would recommend. Instead, you should investigate UE-V or User Experience-Virtualization: Get Started with UE-V - Configure Windows | Microsoft Docs It's important to note, this technology has nothing to do with Microsoft Azure and there isn't any cloud service on Azure you could leverage to implement UE-V.802Views0likes0CommentsRe: Is it possible to forward the azure monitor logs data to Geneva or Kusto?
Hi Tianyu, AzMon has a log export capability, where you could use Event Hubs and stream the logs to your 'target system'. More info here: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal Since Geneva and Kusto are MSFT internal services, you could try to ask AzMon engineering internally. The docs also talk about a possibility to query data with Azure Data Explorer, which is essentially a productized version of Kusto. Worth checking as well.12KViews1like0CommentsRe: Sigin Logs of Azure Virtual Machine
One of the options is to use the Microsoft Monitoring Agent (MMA), also known as Log Analytics Agent and use the following article to configure Event Logs as 'data sources': https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events21KViews0likes1CommentRe: Sigin Logs of Azure Virtual Machine
Sign in to Azure VMs (e.g., an RDP or an SSH session) is a 'data plane' operation that is logged on the VM level in the Event log (or syslog), not in the Azure Activity Log (unless you are using Azure AD Sign-in to VMs feature). There is a way to collect System Event Log (or syslog) to Log Analytics using Log Analytics agent, but this needs to be configured properly.21KViews0likes3CommentsRe: Findings all Azure SQL Servers with "Deny public network access" disabled
Hi eitan1000 , If you want to search across many subscriptions, you could use Azure Resource Graph query instead of PowerShell (where you need to switch / loop between subscriptions): resources | where ['type'] =~ 'Microsoft.Sql/servers' | where properties['publicNetworkAccess'] == 'Enabled'3KViews3likes0CommentsRe: Best practice hierarchy for Azure management groups
Hi MouradH , Microsoft has published design considerations and recommendations for building Management Group hierarchy in the Azure Landing Zone methodology (part of Cloud Adoption Framework for Azure). You can find the details here: Management groups - Cloud Adoption Framework | Microsoft Docs2.8KViews2likes0CommentsRe: Public IP prefix pricing
I believe you will be charged for all 4 IPs. If you go to the pricing page (https://azure.microsoft.com/en-us/pricing/details/ip-addresses/) and open the 'What is the price for specific size of a prefix?' FAQ point, it explains it a bit more. The way I understand it is that when you reserve an IP block, it cannot be assigned to other customers, so regardless of if you assign those IPs or not to your resources, they are "blocked" to you, so you will be billed. I could be wrong though; I am not a pricing expert.2KViews0likes1CommentRe: Private Endpoint to Azure Blob Storage from On-Premise
Great question 🙂 So, the beauty of Private Endpoints is that they are enabled inside your VNets, meaning IP ranges you choose and control. If you build a cross-premises connectivity - either a S2S VPN or Express Route - those Azure VNet prefixes will be advertised to your on-prem network. If you configure name resolution correctly, it should work automatically: any DNS query to blob.core.windows.net domain (the one from your example, let's assume you configured forwarding for this domain in your on-prem DNS servers) would resolve to a private IP address that was assigned in Azure VNet to that private endpoint. your on-prem router / VPN gateway will route this traffic to Azure, where it should reach the correct VNet and IP (network card) and through Private Link it would get to the storage account. the response would follow the same path back Private Endpoints allow you to build this connectivity to Azure PaaS services without a need to use public IP addresses for those services. You can't remove those public endpoints but you could configure IP filtering in the storage account configuration to block any traffic from the Internet, effectively disabling that public endpoint. Eventually, you could enable only some source IP prefixes. You don't need to allow VNet(s) on storage account, since this configuration is related to Service Endpoints, which is a different capability (works only on Azure, not from on-prem).14KViews1like1CommentRe: Private Endpoint to Azure Blob Storage from On-Premise
Hello, If apart from enabling Private Endpoints you also want to enable cross-premises DNS resolution (being able to resolve Private DNS zones from on-prem / retrieve private endpoint IP addresses as well as resolving on-prem hosted DNS zones from Azure), this is what you should do: Your "Spoke VNets" (peered to the Hub, where you host VPN Gateway, DNS Forwarders and Private DNS zones) should be configured with 'Custom DNS' option (and not the 'Azure-provided' default) and point to those two DNS Forwarders VMs you host in the Hub. In this way, your Azure resources in Spokes can resolve both Azure Private zones and on-prem DNS zones. Your DNS forwarders should have a DNS "role", where you configure Conditional forwarding for your on-premises zones, pointing to your on-prem DNS servers, authoritative for those zones. You need to make sure that those Forwarders can reach your DNS servers (e.g., firwall restrictions, routing). In order to resolve Azure Private DNS zones from on-prem, your DNS servers needs to be configured with Conditional forwarding, where for 'blob.core.windows.net' zone queries you point to those DNS Forwarders in the Hub (using IP addresses). Obviously, when you want to leverage other Private Endpoints, e.g., Azure SQL Database, you will add respective zone to conditional forwarding and create a new private DNS zone in the Hub for that service. I don't think that the configuration of DNS suffixes on the Forwarders matters. You will be referring to them using IP addresses in the configuration. Let me know, if you have more questions.14KViews0likes3Comments
Recent Blog Articles
No content to show