Azure file storage private endpoints

I’ve previously detailed how to create an Azure SMB File Share:

Creating an Azure SMB file share

as a way to create a ‘cloud USB’ drive that you can map to just about any desktop quickly and easily. All of this is accomplished securely but many remain hesitant to do this across the Internet directly. Luckily, there is now an option to map this SMB share to an IP address inside an Azure VNet to restrict access if desired.

image

Before you set this up you will need to have an existing Azure Vnet created as well as a paid Azure subscription. You can add a Private Endpoint to an existing Azure storage account or create one at the same time you create a new Azure Storage account. In this case, I’m going to an existing account.

In the Azure portal search for “private link”, which should then take you to the Private Link Center as shown above. Select the Add button on the right.

image

You’ll need to select a Resource Group as well as a Name as shown above.

image

You’ll then to select the Azure Storage account and the file option to connect to an existing SMB file share as shown above.

image

Next, you’ll need to connect to an existing Vnet and if you want to access the resource privately by a name, then you’ll need to integrate it with a private DNS zone, which will also be set up for you as part of this process.

image

You can then add tags. Note – when I created mine, if I assigned tags here I couldn’t create the Private Endpoint, which appears to be a bug. So, if for some reason you find the same issue, create the Private Endpoint without tags and then add them later.

With all that done, select the Create button to finish the configuration on the Review + Create page.

image

When the set up process is complete you’ll now see your endpoint as shown above with an allocated IP address on the Vnet you selected.

image

If you then look at your Vnet, as shown above, you will see that the Storage Account is seen as a connected device.

SNAGHTMLc990f5b

If you now visit the Storage Account and select Firewalls and virtual networks as shown above, you can configure what networks can access this new Private Endpoint.

Leaving the option set to All networks means that you can still map to that SMB share directly across the Internet, which you may want.

image

However, in the above case, I have selected to restrict the access to the Vnet only.

image

Doing so means that the ONLY way I can now access that SMB Share is via the selected Vnet. I can’t get to it using the Azure portal on my remote desktop machine as shown above.

image

If I wanted to access this from a remote location, outside the Vnet across the Internet, I could add those details below. However, I have chosen not to do this.

My Azure SMB File share now has a dedicated IP address that is restricted to access via an Azure Vnet, how do I work with this share directly on premises? Easy. I set up an Azure Site to Site VPN to that same Vnet and now I can access that Azure SMB File share from my local machines by mapping to something like the IP address.

image

Thus, the only way that Azure SMB file share can be access is across a Site to Site VPN, making even more secure.

image

Private Endpoints support connection to a number of PaaS Azure services as shown above. This is handy as it allows you to connected you Azure IaaS services (like VMs) directly to Azure PaaS (like storage) quickly and easily as shown. What’s the benefit? Remember, IaaS is typically billed on time used, while PaaS is billed on resource consumption. Thus, why should I pay for a VM to store my data and pay the time it runs (typically 24/7), plus disk storage where I could use Azure Storage and most be billed just for the data capacity?

PaaS is the future and has many benefits over IaaS. You should be looking to shift as much of you infrastructure to PaaS to take advantage of things like reduce maintenance, cost savings, etc. Private Endpoints is an easy way to start doing just that. For more information on Azure Private Endpoint visit:

What is Azure Private Endpoint?

Intune policy sets

The modern way to manage and configured devices in the Microsoft Cloud is to use Intune to handle device enrolment and configuration. This can become complex quickly when you at look configuring across the different operating systems (iOS, Android, Windows, MacOS, etc) and the different policies (endpoint, compliance, restrictions, etc) because there are so many possible variations. If you then layer on a variety of users and their requirements, being consistent across the organisation can be a challenge.

image

Luckily, Intune now gives us something called Policy Sets which you can find in the Microsoft Endpoint Manager admin center as shown above.

image

As the opening screen, shown above, notes – Policy sets are basically a way to group a set of individual policy configurations together and have them applied as a group. Handy eh?

image

Basically, you follow through the wizard and select the policies you wish to group together and then users you wish that to apply to. You save that as an individual Policy set, of which you can create as many different ones as you like.

Once you create the policy it will be applied exactly the same as if you did each policy individually, but now you can do all that together via a single setting! You can go back in at anytime and edit the Policy sets you created.

Device manager Policy Sets allow you to easily group a variety of individual Intune policies together and apply them together to a group of users quickly and easily. This should save you lots of time over creating an individual enrolment policy and applying, then an individual compliance policy and applying, then an individual endpoint protection policy individually and so on.

Need to Know podcast–Episode 220

In this episode I speak with Leigh Wood from Node IT in the UK about what attending the Microsoft worldwide partner conference known as Inspire. Leigh gives us some great insights, experiences and the benefits of attending. A great episode for Microsoft partners to listen in to and learn from Leigh. We have our usual Microsoft Cloud updates from Brenton and myself. Stay tuned, stay up to date and listen along. Let us know what you think of this episode.

This episode was recorded using Microsoft Teams and produced with Camtasia 2019

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-220-leigh-wood/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

@nodeIT

@contactbrenton

@directorcia

Microsoft submissions to Cyber 2020 strategy

Outlook on the web is becoming a progressive web app

Security defaults provides key security for free

Microsoft Partner Agreement

Azure Sentinel

Azure Sentinel is a great add on

MFA penetration in the Microsoft Cloud

Microsoft Norway now open

Azure cost management for partners

CIAOPS AZ-900 Exam prep course now available

AZ-900-microsoft-certified-azure-fundamentals

I am happy to announce I have completed another online Microsoft exam prep training. This time it is for the Microsoft AZ-900 Azure Fundamentals exam. This exam is an excellent starting point if you are looking to get into Azure. It is quite broad but it is important to remember that it is focused on ensuring you have a basic understanding of most of the Azure services. That means, you need to know what they are and what they do NOT how to configure them individually.

I am a big believer in industry certifications as I have details previously here:

The benefits of certification

It is important to have Azure in your tool bag these days because new services like Windows Virtual Desktop are built on a variety of Azure services. To do anything with Windows Virtual Desktop, you are going to need to have Azure knowledge and this AZ-900 is a great starting point on that journey.

You can sign up for this new course here:

https://www.ciaopsacademy.com/p/azure-az-900-exam-preparation/

and look out for more courses coming soon from the CIAOPS.

Bad guys keep winning (Part V)

image

The above amazing slide is from the recent Microsoft Ignite 2019 session – SECI20 – Shut the door to cybercrime with identity-driven security.

This means that vast majority of Microsoft Cloud tenants DO NOT have their admin account secured via MFA. You could understand maybe 5 or 10 percentage as ‘break glass’ style accounts but 92%??

Would you not say that in the past year we, as a society, have become MORE dependent on technology? I know many business can’t run a business without technology but not enabling simple protective measure like this is simply amazing! It also makes you wonder at how much else is not secured appropriately? I think saying that 92% of ALL IT installations are not appropriately secured would not be far wrong.

The good news is that, if you take the time to implement things like MFA, you are more secure than 92% of systems out there. Given that bad guys go after the easiest target (law of the jungle), it kinda makes you less susceptible. Sad but true, that there are plenty of victims out there just waiting to happen!

I’m sure there is a lot of finger pointing that can be had as to who is responsible and who needs to do what, however all that is irrelevant as it simply means the bad guys are rubbing their hands together as the 92% vacillates over implementing what really should be mandatory!

Techwerks 10–Sydney 12th February 2020

bw-car-vehicle

I am happy to announce that Techwerks 10 will be held in Sydney on Wednesday the 12th of February 2020. The course is limited to 20 people and you can sign up and reserve your place now! You reserve a place by completing this form:

http://bit.ly/ciaopsroi

or  sending me an email (director@ciaops.com) expressing your interest. This training is just before the Microsoft Ignite the Tour in Sydney, so if you are in town for that you can hopefully also take advantage of this training.

The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into the Microsoft Cloud including Microsoft 365, Azure, Intune, Defender ATP, security such as Azure Sentinel and PowerShell configuration and scripts, with a focus on enabling the technology in SMB businesses.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:

Gold Enterprise Patron = Free

Gold Patron = $33 inc GST

Silver Patron = $99 inc GST

Bronze Patron = $176 inc GST

Non Patron = $399 inc GST

I hope to see you there.

Another great security add on for Microsoft 365

Previously, I have spoken about Cloud App Security being a ‘must have’ add on for any Microsoft 365 environment:

A great security add on for Microsoft 365

I now believe that the next ‘must have’ security add on you should integrate with your tenant is Azure Sentinel.

image

In a nutshell, Azure Sentinel will allow you to monitor, alert and report on you all you logs from just about any location, whether on prem or in the cloud.

image

Once you have created the Sentinel service and assigned it a log workspace, the first place to go is to the Connectors option as shown above.

Here you can connect up your services. There is a huge range of options from Office 365, Azure, on prem and third parties like AWS, At a minimum I would suggest you connect up your Azure and Office 365 services.

image

Next, go to the Analytics option, then select Rule templates from those available. These rules are basically queries across your data sources from your connectors. Add in the rules that make the most sense for your environment.

image

As you create these rules you be stepped through a wizard as shown above.

image

The Set rule logic step allows you to define the rule based on the data being received. You will notice there are lots of options. The great thing about using the templates is that this is already done for you but you can certainly modify these or create your own.

image

The real power of Azure Sentinel lies in the Automated response step shown above. Here you define what actions will be taken when a alert is generated by the rule. This means that you can have something automatically execute when an alert happen. This could be a remediation process, advanced alerting and more. This allows the response action to threat to be immediate and customisable.

image

Next, go into the Workbook options as shown and then the Templates area and add all the options that make sense.

image

A workbook is basically an interactive dashboard where you can graphically query and report on data as shown above.

image

When rules are triggered they will appear as Incidents that you investigate as shown above.

image

You’ll be able to explore incidents in greater depth using the graphical explorer as shown above.

image

Good security is about being pro-active and Azure Sentinel gives you this via the Hunting option as shown above. This allows you to run standard queries against the data to discover items that may need further investigation and analysis. Note the option highlighted here that allows you to Run all queries at the touch of button. This is yet another hugely powerful option as you can now ‘hunt’ across all your information so quickly. Show me another tool that can do this for both cloud and on prem?

image

There are lots more features, but by now you are probably wondering what the costs are? As you can see from above, they are based on storage and you can reserve a storage size to suit your needs. However, you can also opt, as I have, for a pay as you go option.

image

This means the Azure Sentinel cost to analyse all my data is AUD$3.99 per GB of data and

image

on the pay as you go plan I also need to factor in data ingestion, which is shown above in AUD$. Note that you get 5GB of data ingestion free per month. After that, I’d be paying AUD$4.586 per GB.

image

As you can see from the above usage figures I am no where near the 5GB ingestion limit, so all I am currently paying for just Azure Sentinel analysis.

The amount of data you ingest and analyse will depend on the services you connect and well as things like data retention periods. All of these can be adjusted to suit your needs. There are also many other Azure pricing tools you can use to control your spend. However, if you are concerned about running up an excessive bill, just connect and few services and scale from there.

In my case, I have logs from Microsoft 365 Cloud services, Azure, on premises machine monitoring, Defender ATP and more all going into Sentinel. Basically, everything I can, is going in there and the costs remain low.

I have always maintained that when you sell Microsoft 365, you should also sell an Azure subscription:

Deploy Office 365 and Azure together

Azure Sentinel is yet further confirmation that you should be doing this to add greater functionality and security to your environment. I will be spending more time deep diving into Azure Sentinel so make sure you stay tuned.

What you need for Windows Virtual Desktop (WVD)

banking-checklist-commerce-416322

Windows Virtual Desktop (WVD) is now generally available and I’ll be covering off how to set it up in upcoming articles. However, before you even login to your Azure tenant to start setting this up, here’s what you’ll need:

1. A Windows Virtual Desktop license for every user who want to use the service. These come with all Microsoft 365 and Windows E3 and E5 suites.

2. A paid Azure subscription. The majority of the cost of the WVD service will be your Virtual Machine hosts. The cost of these will vary on how many you want to use and how long they run for.

3. Azure Active Directory. The users who access the WVD service need to be in Azure AD. These users can be cloud only or synced from on premises using Azure AD Connect.

4. A Domain Controller (DC). At this point in time the WVD still requires a ‘traditional’ domain controller to allow the VMs to connect to for access. If you only have cloud users then the easiest option to achieve this is to add Azure AD Domain Services. If you already have an on premises Domain Controller (DC) you’ll need a Site to Site (S2S) VPN to link your on premises network to Azure. Note, that if you have an on premises DC that is using Azure AD Connect you can’t just add Azure AD Domain Services because Azure AD Connect doesn’t sync ‘traditional’ DC attributes. So, if you have an on premises DC, even if it is already using Azure AD Connect, you’ll still require a S2S VPN to Azure to allow the WVD service to connect VMs to that domain.

5. Azure AD tenant ID. Each Azure AD has a unique number which you can get from the web interface or via PowerShell. This is because it is possible to have multiple AD’s inside Azure and each can be configured and connected differently. The WVD service will need to know which specific Azure AD to connect to when provisioning.

6. Azure Subscription ID. The costs of the WVD service need to be applied against a unique subscription inside Azure. again, remember it is possible to have multiple independent subscriptions inside an Azure tenant. The WVD setup will need to know which subscription to bill for the service.

7. Azure tenant admin account. This will typically be a global administrator of your Azure environment. This will typically be the user who sets up, configures and manages WVD. They will also typically be an administrator of the domain that is connected to Azure AD.

8. Domain join account. This is an account that has the rights to join machines to the domain. The WVD service will create a number of VMs that need to be connected to the domain so that users on the domain can login to these machines in your WVD environment. You may wish to have a domain join user who is not a global administrator for security reasons but you should also be aware of the potential password requirement differences between your domain user and the Azure admin account. You may wish to use the same Azure admin account as your domain join account. If so, just beware of the password requirement policy for these.

image

As you can see above, the domain join account has to be at least 12 characters long, plus 3 of the following – 1 lower case character,  1 upper case character, 1 number, a special character. That requirement may be different from what your Azure AD or on premises AD requires. My recommendation would be to create a stand alone domain join account that meets the requirements and is only used for joining machines.

9. Azure Virtual Network (VNET). You’ll need a pre-existing VNET for the WVD machines to connect to. When you implement Azure AD Domain Services or a S2S VPN to connect an on premises DC, you’ll need a VNET. Make sure you understand the IP addressing and subnetting of your Azure VNET when you create it, as changing it later can be very painful.

10. Appropriate skill set. WVD requires a range of skills and understandings including:

– Identity management

– Azure AD

– PowerShell

– Azure IaaS including VNETs, VMs, Storage, etc

– Networking

– Azure backup, imaging, etc

Can you bumble you way through without these? Maybe, but life will be much easier if you do have these skills and really, if you are planning to work in the Microsoft Cloud environment, these should be considered mandatory.

There you have it, ten pre-requisite items to get sorted before you launch into creating a WVD for yourself. Get these sorted prior and your installation will be much smoother!

As I said, I’ll have upcoming articles on how to set this up, so stay tuned.