I’ve been reading and hearing how awesomely easy it is to federate any number of the 2500+ SaaS applications in the Azure Active Directory application gallery. I recently decided to give it a go since I had an Azure AD Premium 30 day trial activated for another lab I was running. I’m not going to go into the step-by-step instructions on how to do this, since Microsoft has moved away from TechNet and started drafting these easy to follow tutorials, it would be redundant.

Instead I thought I’d just share a simple scenario I tested in hopes that maybe you’ll see the immediate value and maybe even get you a little excited like it did me. Up to this point I’ve signed up for my Salesforce trial, setup my domain, and followed the rest of the Microsoft tutorial in the link above.

Group-based access to applications is where its at!

I’ve decided that anyone in my organization part of the marketing group should automatically have an account provisioned in Salesforce and assigned the out-of-the-box “Marketing User” role within it.

Step 1) Create a new stand-alone group in your Azure Active Directory primary domain and enable dynamic membership, followed by indicating that members of this group will be automatically populated if the “department field” equals “Marketing”.

Step 2) Grant the “Marketing” group you just created access to the Salesforce application, define the role as “Marketing User”, remember, we’ve already configured the user provisioning option depicted in the tutorial linked at the top of this article.

Active Directory>Directory>Domain>Applications>Salesforce>User and Groups> Marketing

You can now see that the Marketing group has access:

Last but not least, the coolest part…

Step 3) Create new on-premises user account and specify “Marketing” as the value under the “Department” attribute, force or wait for AAD Connect to synchronize that user object, watch the magic happen.

Look! Steve Smith was synced, joined to the Marketing group, and because the Marketing group was given access to Salesforce, a new account was provisioned automatically in Salesforce under the “Marketing User” role.

So the takeaway is that using this centralized identity service in Azure AD, organizations can drastically simplify user provisioning and de-provisioning while also enhancing security and saving everyone time.

I recently passed the 70-534 exam, below you will find the materials I studied to gather the necessary knowledge to pass the exam. This test is a true Architecture exam in that it’s going to cover material from just about everything under the sun within Azure. The most important advice I can give is to learn the key points within each feature or solution, you don’t necessarily need to know each feature 100%, but know the most important things such as what it does and what obvious limitations it has. Such as Azure AD provides you a Graph API and doesn’t support LDAP, Service Bus Queues provides FIFO (first in first out), Content Delivery Network (CDN) is for STATIC content that will be accessed from all over the world. Try to learn those key words and which feature they are associated with.

70-534 Architecting Microsoft Azure Solutions / Skills Measured:

https://www.microsoft.com/learning/en-us/exam-70-534.aspx

Exam Ref 70-534 Architecting Microsoft Azure Solutions

https://www.microsoftpressstore.com/store/exam-ref-70-534-architecting-microsoft-azure-solutions-978073569744

Microsoft Virtual: Academy Architecting Microsoft Azure Solutions

http://www.microsoftvirtualacademy.com/training-courses/architecting-microsoft-azure-solutions

Mark Grimes Overview of exam:

http://blogs.technet.com/b/tangent_thoughts/archive/2015/05/03/ready-for-this-quot-architecting-microsoft-azure-solutions-quot-exam-70-534.aspx

Early Experts Study Guide for Microsoft Specialist Certification Exam 70-534, Architecting Microsoft Azure Solutions

http://blogs.technet.com/b/keithmayer/archive/2015/01/12/early-experts-study-guide-for-microsoft-specialist-certification-exam-70-534-architecting-microsoft-azure-solutions.aspx

Ignite – Exam Prep Session for Exam 70-534: Architecting Microsoft Azure Solutions (Beta), Mark Grimes:

https://channel9.msdn.com/Events/Ignite/2015/BRK3913

Microsoft Virtual Academy Free eBooks, Azure:

http://www.microsoftvirtualacademy.com/ebooks#9780735695658

AnderseideBlog.wordpress.org, Skills Measured w/ Microsoft documentation links:

https://anderseideblog.wordpress.com/reading-lists/ms-exam-70-534-architecting-microsoft-azure-solutions/

MeasureUP Official Microsoft Practice Exam 70-534

http://measureup.com

I could write a list of 50 things that I love about Microsoft consulting, but there’s one scenario that plays itself out on the occasional project that instantly recharges my motivational batteries. Working with State and Local Government comes with its own challenges and misconceptions, some true and some over exaggerated. One of those being the notion that resources are segregated and its hard to get things done quickly… One could view those large organizations as a challenge to work with, and it can be, but it should also be viewed as a privilege because you’re very likely to work with individuals who are extremely proficient in their craft.

But going back to that “hard to get things done quickly” thing… I find that these organizations have various reasons for the lengthy project timelines. Things like change control, risk management, security audits, resource allocation, and buy-in from many different parties on large and small decisions.

All of the items above require patience and strong communication skills to work with all the necessary parties to keep the ball rolling.

So what was that one reason why I love consulting so much?

When you’re in the midst of navigating those challenges in large organizations and something goes wrong, not necessarily with something specific to the project, but maybe impedes the projects momentum…sometimes abruptly. Without mentioning specifics, events like hardware failure, mysterious network misconfigurations, bad patches, who knows.

What I love is seeing those barriers between the organizations technical staff completely dissolve before your eyes, coming together and responding quicker than you thought possible. People staying late on a Friday evening knowing and respecting the impact it has on your project. It’s the most infectious thing that can happen on a project and is almost guaranteed to strengthen your relationship. I’ve ran into this scenario many times, it’s not always something I’m obligated to be there for, but I thoroughly enjoy witnessing teamwork of that nature, I’ll most certainly be sticking it out with them.

So that’s what I love so much about consulting!

Today is Microsoft’s free event called AzureCon, I happened to stumble across a brief session that talks about planning migrations of on-premises servers to Azure IaaS and how to get the most out of your money when moving these services to Azure. I liked the breakdown in cost analysis and explanations on how using the same amount of resources for your VMs in Azure as you do on-premises can result in extra costs since your VMs may run more efficiently using Azure’s hardware.

Session: https://azure.microsoft.com/en-us/documentation/videos/azurecon-2015-azure-iaas-proper-sizing-and-cost/

Azure Cost Estimator Tool: http://blogs.technet.com/b/cbernier/archive/2015/03/26/microsoft-azure-cost-estimator-version-2-2.aspx

If you’ve tried to setup Azure’s Traffic Manager for use with Active Directory Federation Services 3.0 (Server 2012 R2), and Web Application Proxy servers, you might have encountered some difficulty with built in health probes. If you find your ADFS endpoints are in a “degraded” state, and especially if you’re pointing the monitor path to the adfs/ls/idpinitiatedsignon.aspx.

The answer is to point your Azure Traffic Manager profile to the http://<WAP URL>/adfs/probe/ directory on the WAP servers. This was introduced in some August 2014 update, so if you don’t update your WAP servers, I would recommend doing so.

Lastly, you will likely need to allow port 80 to the WAP servers, either through a load balancer in the DMZ, and/or in Windows Firewall.

And Windows firewall:

The rule should resemble:

And finally, Traffic manager should reflect your new found probe path:

Relative commands, though these are pretending we have an Azure Government subscription:

New Traffic Manager profile

New-AzureTrafficManagerProfile -Name “fs-domainname” -DomainName “fs.domainname.usgovtrafficmanager.net” -LoadBalancingMethod “Failover” -Ttl 300 -MonitorProtocol “Http” -MonitorPort 80 -MonitorRelativePath “/adfs/probe/”

Add Endpoints

Add-AzureTrafficManagerEndpoint -TrafficManagerProfile $TrafficManagerProfile -DomainName “hq.fs.domainname.us.gov” -Status Enabled -Type Any –Location “USGov Iowa” | Set-AzureTrafficManagerProfile

Add-AzureTrafficManagerEndpoint -TrafficManagerProfile $TrafficManagerProfile -DomainName ” dr.fs.domainname.us.gov ” -Status Enabled -Type Any –Location “USGov Iowa” | Set-AzureTrafficManagerProfile

Links

New-AzureTrafficManagerProfile

Add-AzureTrafficManagerEndpoint

Update: To configure the same probe on an F5, load balancing the WAP servers, the string should look like:

GET /adfs/probe HTTP/1.1\r\nHost: fs.domain.us.gov\r\nConnection: Close\r\n\r\n

Microsoft announced the release of Cumulative Update 8 for Exchange 2013 today, customers running in a hybrid deployment are required to be running CU8 or CU7. For the official announcement and list of issues fixed, see links:

Exchange 2013 CU8 Announcement

Exchange 2013 CU8 Issues fixed

Those of you not familiar with how Azure File Storage works, it’s shared storage for applications running in Azure using the SMB 2.1 protocol. This feature allows customers to configure applications and operating systems both in Azure and on-premises a way to provide a centralized SMB share using Azure Blobs. Data can be access via mounted share, or the File storage API, find out more here:

What is Azure File storage?

There’s an exciting movement happening in the world of cloud computing and the rate of adoption by various federal, tribal, and State and local Government organizations. More than ever, customers large and small are looking for ways they can leverage different Microsoft cloud technologies to break free from the chains of maintaining on-premises hardware and storage. The other half to that argument is the ever growing desire to enable a mobile workforce, employees want flexibility and access to their data from locations other than their desktop.

Of course no roads are paved without first carefully planning and mitigating concerns and risks, about said road, or parking garage if that’s a better analogy to your cloud space.  There’s no question that security is at the forefront of this transitional period, and rightfully so.

I wanted to outline a few of the huge steps Microsoft has taken in their recently released Azure Government platform.

• Isolation – All aspects of Azure Government’s infrastructure is completely isolated, meaning the physical datacenter, hardware, software, and the network. This includes all physical, logical, and network components of the service.
• Community – Restricted to federal, state, local, tribal, and the Department of Defense, including their service providers.
• Screened Personnel – All operational and support employees are US citizens, who have been through a rigorous background screening process.
•  Location of Data – All customer data, content, both in transit and at rest, resides in the Continental United States. This includes all Azure Government infrastructure, i.e. hardware, software, networking etc..
• Business Continuity– Customers can enable geo-replication of data to another datacenter at least 500 miles away to provide business continuity in the event of a disaster.
• East coast region – Location on the east cost due to proximity of Government customers, and another location about 1000 miles west of that.

Certifications? Azure Governments got those too. Microsoft is committed to achieving certifications and accreditation that Government customers often require and request, including: CJIS, FedRAMP, DISA, ECSB, ITAR, HIPAA, IRS 1075, and FDA. For a complete list and more details, see the General Availability of Azure G announcement.

Technical features & practices

There are tons of questions that are to be raised when adopting a foreign technology like managed services, or Infrastructure as a service. Using Azure is no different, often these questions revolve around more technical aspects such as access to control network traffic, Intrusion prevention, role based access controls, and general high availability of the servers and services running in Azure. While it is most certainly true that by design, some security precautions are put into the hands of Microsoft, you do have some controls and features you can leverage to better fit your organizations compliance and security requirements.

Network Security Groups

Network security groups (NSG’s) were announced in November of 2014, and were highly anticipated by those already using the Azure IaaS platform. NSG’s can be assigned to specific subnets within your Azure Virtual Network, to specific groups of VM’S, or even a combination of both. Once grouped, you then have the granularity to configure the access control lists between NSG’s, much like you would on your conventional firewall on-premises.  You can see HERE an article I wrote on this feature and how I leverage it in Azure ADFS implementations for use with Office 365. Here’s a screenshot of what the ACL controls look like through PowerShell, which is currently the only method for implementing NSG’s. This feature is available in Azure Government today.

Internal Load Balancers

The ease in which you can create internal load balancers is quite impressive, albeit you still need to use the Azure PowerShell modules to accomplish this task. The importance of this feature is in contrast to the load balanced sets you can create for VM’s in the same Cloud Service, which are automatically assigned a public virtual IP address (VIP). VM’s not in the perimeter of your Azure network, or don’t need to be accessible from the internet, don’t need a publicly routable IP address. You can find out more about internal load balancers and configurations HERE.

Forced Tunneling

Forced Tunneling is when you configure specific VM’s or subnets in your Azure Virtual Network to traverse the site-to-site VPN and on-premises infrastructure for internet bound traffic, as opposed to using the Azure default route straight to the internet. This feature allows for organizations that have such a compliance requirement control over the http/https traffic originating from these servers. Your VPN Gateway must be configured as a dynamic routing gateway to take advantage of this feature, for more information check out the page HERE.

Multi-Factor Authentication

Multi-Factor authentication is built right into the Azure web portal and can be enabled on a per-user basis. This is most typically requested and required for Administrators and Co-Administrators accessing their Azure tenant for operational tasks.

Operational Logs

Logs can be queried based on time-frame and type of action within the Azure portal, additional audit logs can be requested for items not accessible or visible in the portal.

Role Based Access Control

As of right now there is no RBAC in Azure Government, however they are constantly updating the platform with features already implemented in its counterpart, for information about RBAC in Azure, check out this article about Azure Resource Groups HERE.

These are just a few of the items that have been leveraged or asked about by customers evaluating or implementing an Azure solution in their organization, hopefully one or two of them pointed you in the right direction.

Microsoft’s Azure Government is here, it’s here and it’s really cool, but if you found this article via Bing you already know that. You’re here because you figured out that some additional steps are required to get connected to your Azure G trial or subscription using PowerShell, much like you did for your enterprise subscriptions.

Assuming you have the proper administrative permissions in said Azure Government subscription (i.e. coadmin/admin), follow these easy to do steps to get connected:

Step 1) Go to the URL below to download the publishingsettings file from your Azure Government subscription: https://manage.windowsazure.us/publishsettings/index?client=xplat 

Step 2) Setup the Azure Government environment in your Azure PowerShell module/session by running the following commands:

• Add-AzureEnvironment -name “AzureGovernment” -PublishSettingsFileUrl “https://manage.windowsazure.us/publishsettings/index?client=xplat” -serviceendpoint “https://management.core.usgovcloudapi.net” -managementportalurl “http://manage.windowsazure.us” -StorageEndpoint “core.usgovcloudapi.net”
• Set-AzureEnvironment “AzureGovernment”

Step 3) Use the Import-AzurePublishSettingsFile to import the file you saved in step 1, once completed you can confirm your current active subscription by using: Get-AzureSubscription, and select-AzureSubscription if you have multiple subs imported.

To revert back to the Azure Enterprise environment, you need to Remove-AzureEnvironment “AzureGovernment”.

Been busy lately, I have some really cool things I want to blog about and they should surface sometime in the next couple weeks. Until then, here’s an old script I created for creating new shared mailboxes in Office 365. The script requires you to know the AccountSKU details and have created and synchronized an AD user to Azure AD. After that, the script will license the account to provision a mailbox, convert the mailbox to shared, then remove the license. Again, make sure to update those license/AccountSku items below.

Oh yeah, and this is to be run via the Azure AD PowerShell Module.

#Script by Kyle Green
#kylgrn.com

#——Connect to Azure AD——-#

$LiveCred = $host.ui.PromptForCredential(“Need credentials”, “Please enter your Office 365 Global Administrator credentials.”, “”, “NetBiosUserName”)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
connect-msolservice -credential $livecred

cls

Write-host “Please enter the UserPrincipalName of the mail-user you wish to convert to a shared mailbox…” -foreground “yellow”
$ConvertUser = Read-host “UserPrincipalName”

Write-Host “Converting Mailbox…..” -foreground “yellow”

#——Apply License——-#
$office365sku = “ORGNAME:ENTERPRISEPACK_GOV“
$MyO365Sku = New-MsolLicenseOptions -AccountSkuId ORGNAME:ENTERPRISEPACK_GOV -DisabledPlans SHAREPOINTWAC_GOV,SHAREPOINTENTERPRISE_GOV,RMS_S_ENTERPRISE_GOV,OFFICESUBSCRIPTION_GOV,MCOSTANDARD_GOV
$UsageLocation = “US”
Set-MsolUser -UserPrincipalName $ConvertUser -UsageLocation $Usagelocation
Set-MsolUserLicense -UserPrincipalName $ConvertUser -AddLicenses $office365sku
Set-MsolUserLicense -UserPrincipalName $ConvertUser -LicenseOptions $MyO365Sku

Start-Sleep -s 120

#——Convert to Shared——-#
Set-mailbox -identity $ConvertUser -type shared

Start-Sleep -s 20

#——Remove License——-#

Set-MsolUserLicense -UserPrincipalName $ConvertUser -RemoveLicenses $office365sku

Write-Host “Mailbox conversion complete” -foreground “green“