Azure Archives

Azure spring clean 2020

30/01/202003/02/2020
by Martin Ehrnst

Azure spring clean is a community initiative where the idea is to convey best practices and lessons learned managing Azure. During February 2020 we will have a broad selection of blog posts and videos on Real-world scenarios and solutions from the community. Covering topics like Azure Monitor, policies, and cost management.

The first post goes online on February 3.

Date	Article	Contributor	Category
03/02/20	Azure RBAC – Best Practices	Alan Kinane	Azure Foundations
04/02/20	Azure Policy for AKS	Sam Cogan	Azure Policy
05/02/20	Monitoring Containers on Azure with Windows Admin Center	Dave Rendón	Azure Monitor
06/02/20	How to use Tags to organize your Azure resources	Wim Matthyssen	Azure Foundations
07/02/20	Azure Governance – Best Practises	Amine Charot	Azure Foundations
10/02/20	Nailing your Naming Convention with Azure Policy	Matt Browne	Azure Foundations
11/02/20	Azure Cost Management – Best Practises	Sarah Lean	Azure Cost Management
12/02/20	Protect your network resources with Azure Firewall	Luis Beltran	Azure Security Principles
13/02/20	Monitoring Azure Site Recovery	Karel De Winter	Azure Monitor
14/02/20	Using Azure Advisor to baseline your platform	Sam Hodgkinson	Azure Foundations
17/02/20	Using Azure Resource Graph To Assess Your Azure Environment Quickly & Efficiently	Jack Tracey	Azure Foundations
18/02/20	Azure Monitor – Best Practices for Sanity	Kam Salisbury	Azure Monitor
19/02/20	Azure Storage and Backup Lifecycle Best Practices	Dwayne Natwick	Azure Foundations
20/02/20	How to Use and Monitor Azure Update Management	Vukasin Terzic	Azure Fundamentals
21/02/20	Azure Security: my top 10 best practises to make your tenant secure as possible	Shabaz Darr	Azure Security Principles
24/02/20	Simplify Large Scale Deployments with Azure Blueprints	Isham Mohamed	Azure Foundations
25/02/20	Azure Kubernetes Service (AKS) securing Clusters and Applications	Adil Touati	Azure Security Principles
26/02/20	Azure Monitor – Autoscaling Resources Based on Performance	Anthony Mashford	Azure Monitor
27/02/20	How to Avoid a Billing Shock With Azure Serverless Solutions	Stanislav Lebedenko	Azure Cost Management
28/02/20	Securing Your Azure Platform Web Applications	Tidjani Belmansour	Azure Security Principles

Thanks to all the content creators, MVPs Joe Carlyle and Thomas Thornton for starting this!

Azure

Access to Blob storage using Managed Identity in Logic…

23/01/202023/01/2020
by nadeemahamed

I am delighted to share the first guest post on my blog.
Nadeem Ahamed Riswanbasha is a cloud enthusiast and community contributor working for Serverless360 in India.

Please check out his Twitter and LinkedIn profile.

Access to Blob storage using Managed Identity in Logic Apps

By default, when we create a new blob storage container the level of public access will be set to “Private (no anonymous access)”. This is because to extend the security level of the blob container. Nevertheless, if the user wishes to set the level of public access to “container (anonymous read access to the container)” which allows accessing the file by anyone, then it can be modified at the time of creation.

Assume, the business use case needs a high level of security and wants to keep the container/blob more secure. In this case, there are a lot of ways to access the secured blob/container through proper authentication. One way of achieving authentication is through Managed Identity.

What is Managed Identity?

Managed Identity allows you to authenticate to Azure AD and access Azure resources. At the backend, the identity (credentials) will be managed and secured for you. The user doesn’t necessarily need to provide or rotate the secrets.

There are two types of Managed Identity

System-assigned

The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it’s enabled on (Logic app here). So, if this Logic App is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

User-assigned

User-assigned managed identity is created as a standalone Azure resource i.e. Not tied to any service. So, it is the same as explicitly creating the AD app and can be shared by any number of services. Currently, Logic Apps only supports the system-assigned identity. Now, let us explore how to authenticate access to Azure Blob storage using Managed Identity in Logic Apps.

Enable managed identity in Logic Apps

First off, we need to enable the system-assigned identity in the logic app that you wish to access the blob storage through.
To do this, follow the steps below;

Go to the logic app menu and select the identity option under settings
A new window will be prompted under which switch the status option to ON and click Save.

enable system assigned identity in Logic App

Give managed identity access to Blob storage through RBAC

Switch to the Azure Blob Storage container menu
In the left pane, click on the Access control (IAM)
Go to the Role Assignments option and click Add
Now, a new blade will be opened on the right side of the window
Fill in the details as follows;
Role – Storage Blob Data Contributor
Assign access to – Logic App
Select – <your logic app>

You can now see that the Logic App has been assigned as a Storage Account Contributor in the role assignment section.

Design the Logic App to access the Blob

Now, let us jump in and design the logic app to access the blob storage container or files into it. But remember, not all the trigger and actions of the logic app supports managed identity feature. Here is the list of triggers and actions that supports it.

Now, let us head back to the logic app (here LinkedInTest) designer page
Add a Recurrence trigger for the logic app with a defined interval of time
Subsequently, add a new HTTP (it supports managed identity) action to the logic app
In the HTTP action, fill the following fields as follow;
- Method – Get
- URI – <the URI of the blob>
- Headers –
- x-ms-blob-type: BlockBlob
- x-ms-version: 2019-02-02
- Authentication – Managed Identity
- Audience – https://storage.azure.com (this sets the scope to all of your storage accounts)

Test your Managed Identity enabled Logic App

Save the logic app and run it. You can now see in the run history of the logic app that blob content has been successfully accessed through managed identity authentication.

Wrap-up

In this blog, we have seen how to access blob using a system-assigned managed identity in the Logic Apps.

On enabling the logic apps managed identity, an AD app gets created with the same name as that of the azure service (here LinkedInTest, logic app) in Active directory, you can check it in Enterprise Application.

Hope you enjoyed reading this article. Happy Learning!

Azure Lighthouse

Azure Advent Calendar #4: Azure Lighthouse

04/12/201925/11/2019
by Martin Ehrnst

Door #4

Behind door number four of the Azure Advent Calendar 2019, we find Azure Lighthouse. Lighthouse provides simplified resource management in Azure cross tenants.
This makes it very interesting for larger enterprises, who often separate their user directory from the services. And for managed service providers, who deliver services to multiple customers, seeking the utopia of single-pane management.

You can find my video here, and all other contributions on the YouTube channel.

Azure Lighthouse resources

If you want to read more about Azure Lighthouse and it’s capabilities, I recommend the official documentation and the official GitHub repository
For more community-related content, I suggest you check Wesley Haakmans blog.

Azure Advent Calendar is such a great initiative from Gregor Suttie and Richard Hooper. I really dig how the Azure community put together all this content- thank you.
I am sure it will be a great success and hopefully continue in the years to come.

Thank you for having me on.

Azure

Microsoft Ignite 2019 announcements and news

04/11/201913/11/2019
by Martin Ehrnst

It is Monday morning and Ignite announcements are coming in fast. The releases itself aren’t that groundbreaking as previous years, but looking at them from 10.000 feet they represent something very interesting in my opinion.

At Microsoft Ignite in 2015, we were pitched that everyone should run in the public cloud only.
Over the years, Microsoft has invested heavily in the hybrid scenario, introducing Azure stack and other services. With the announcements from Ignite 2019, I feel like we are completing the circle. Azure Arc lets us manage on-premises as we do with Azure, using ARM. Azure Functions are getting more hybrid/local benefits, and the same goes for many of the other services.

Below you can find what I find particularly interesting. Expect this list to evolve and change throughout the week.

For all announcements from Ignite 2019 read the Microsoft Ignite Book of news

Azure Arc

If you think Microsoft all over your infrastructure already. Azure Arc extends Azure management to any cloud and on-premises. I am really looking forward to testing this out! ARM templates on-premises?

Azure Monitor

Azure monitor itself doesn’t get any new features. But all other services get better integration with Azure Monitor. Prometheus support is GA, and hybrid monitoring for containers (kubernetes) is announced as a preview.

Azure Functions

As with the announcement of Azure Arc. Support for multi-cloud and hybrid cloud continues to evolve with Azure Functions. Premium support is now GA, as well as PowerShell. With Powershell support in functions, and Premium plan with hybrid support. I am keen to hear about the future of Azure Monitor.

Azure Cost Management for CSP

Finally. If you know the struggle you are probably as excited as I am, that Azure Cost Management now is available for CSP subscriptions. This means that we can provide cost management seamlessly across all subscription models, and leverage the same APIs

Tags for subscriptions

A long-awaited feature. The ability to add tags to subscriptions is finally available.

Azure

Ignite 2019 session tips

04/11/201904/11/2019
by Martin Ehrnst

Ignite 2019 is just around the corner, and we have a lot to look forward to. According to the session builder, there are almost 2000 sessions to choose from. Even Monday has 321!

In this post, I will share what I think you should look out for and what sessions to attend.

Keynotes

First things first. Monday is packed with keynotes. Satya Nadella’s vision keynote will tell us how Microsoft sees the future and sets the mood for the coming week. We can also expect a few announcements coming as well.

After the vision keynote, each product team has their own technology keynote. These are usually really good and packed with demos.
For Ignite 2019 I am not sure which I will attend. But it will be one of these two:

Breakout sessions

One hot tip that I have, is the ability to chose a learning path. This lets you add all breakout sessions within the learning path, and with that have consistency in your sessions. If you’re going à la carte, I think these sessions look interesting.

Hallway sessions

Ignite 2019 have a great option called Expert Connect. Here you can schedule to meet subject matter experts and discuss your real-world challenges.

Personally, I have cut down on the number of sessions that I attend each day. And instead, I am prioritizing side meetings and the occasional “hallway session”.
Most of the breakout sessions are available on-demand when you get home.
If you want to meet, let me know!

Azure spring clean 2020

Share this:

Access to Blob storage using Managed Identity in Logic…

Access to Blob storage using Managed Identity in Logic Apps

What is Managed Identity?

System-assigned

User-assigned

Enable managed identity in Logic Apps

Give managed identity access to Blob storage through RBAC

Design the Logic App to access the Blob

Test your Managed Identity enabled Logic App

Wrap-up

Share this:

Azure Advent Calendar #4: Azure Lighthouse

Door #4

Azure Lighthouse resources

Share this:

Microsoft Ignite 2019 announcements and news

Azure Arc

Azure Monitor

Azure Functions

Azure Cost Management for CSP

Tags for subscriptions

Share this:

Ignite 2019 session tips

Keynotes

Breakout sessions

Hallway sessions

Share this: