adatum | Page 2 of 16 | Another IT blog focusing on Azure management and surrounding areas

Azure Lighthouse why is it so important

15/08/201920/12/2019
by Martin Ehrnst

Working for a Managed Service Provider (MSP) I have many times faced the challenges of managing multiple separate customers from one single pane. Whether it is a multi-tenant active directory, single AD or a vanilla Azure tenant. An MSP is only good when they can build tools to manage all customers in a streamlined fashion.

In the Microsoft sphere, partners and large enterprises have faced many of the same challenges. If you are a large enterprise, you might be eligible for an Enterprise Agreement.
As a partner, you can apply to become a (tier 1) Cloud Solution Provider (CSP). The tools provided are are far from good enough. The challenge is that you are still bound to tenant isolation. If you wanted to have a view of all alerts in Azure Monitor for all your customers. You need to create a tool that authenticates against each individual tenant and retrieves this information. Similar to what I did with SCOM.

Project Towboat

Last year I attended a side meeting for MSPs at Ignite. We discussed at scale management in the Azure Portal. We were promised that something called Project Towboat was planned. Since then it have been dead silent.
Out of the blue, Microsoft announced Azure Lighthouse. Promising simplified cross tenant resource management. So what makes this so great?

Delegated resource access

Azure Lighthouse uses delegated resource access. In essence, the customer establishes a trust with your (management/master) tenant. This allows for the users in the management directory (tenant) to manage resources on behalf of their customers. Many use Azure AD B2b to manage resources across multiple tenants. With Azure Lighthouse, you can do that without changing the context of the user.

In my opinion. Here are some of the features that make Azure Lighthouse so important to MSPs, and others managing multiple tenants.

Cross tenant monitoring in Azure

Azure Monitor is now multi-tenant. As long as the resource group or subscription is available for the person using Azure Monitor. Application and infrastructure monitoring is available from a single pane of glass.

Multi-tenant Log Analytics queries

Log Analytics is a part of Azure Monitor and is called Azure Monitor Logs, the engine behind is Log Analytics.
Log Analytics is already capable of searching within multiple workspaces. Since Azure Lighthouse will surface your customer’s workspaces, you can run cross tenant queries, how cool is that?

Azure security center for all customers

The beauty with delegated resource management just continues. Another great thing for your security team apart from Log Analytics is Azure Security Center is available in Azure Lighthouse. This means that the team (or that one person) can look at one single dashboard, or write the integration against one tenant.

Summary

With Azure Lighthouse greatly simplifies at scale and cross tenant management. Being tightly integrated with Azure Resource Manager for deployment, as well as Azure Monitor and Security Center for monitoring infrastructure and security.

I am really looking forward to creating solutions and working more with Azure Lighthouse. It is a long-awaited product, and with this launch, Microsoft is way ahead of its competitors.
Expect more dedicated posts on how to manage and automate using lighthouse in the future.

You can read more and find examples on the official Azure Lighthouse documentation and Azure Lighthouse github examples

Azure Monitor

Metric alerts for Azure monitor logs

12/06/201912/06/2019
by Martin Ehrnst

A common thing for traditional companies is to have one team responsible for monitoring. A few years ago, this team where close friends with the team provisioning infrastructure. Now, more and more companies are shifting to the “DevOps” world. Even Microsoft have killed SCOM and are only using Azure Monitor. Meaning that the one deployed the code (and the infrastructure) should be responsible for monitoring. In essence, this is great. But this transition takes time, and one should not underestimate the knowledge of the team who have been responsible for monitoring your entire infrastructure for decades.

If you are familiar with SCOM, you know that rules and monitors is targeted against a class of objects. IE, Windows 2016 operating system. When we move our workloads to Azure, we want to use Azure Monitor to monitor our workloads and VMs.

Enter Log alerts

Log Alerts has been around for quite some time and is commonly used to alert on actual log data. IE custom application logs, Windows event log and so on. But Log alerts has a “hidden” feature, especially for your monitoring teams, not wanting to manage hundreds of duplicate rules.

By using Log alerts with metric measurements you can almost replicate the what discoveries in SCOM does- find resources of a specific type, and attach some kind of monitoring to them. For example, you can create a search query for all your IaaS VMs and alert on their CPU counter.

This will let your monitoring team recreate all their logic, and have control over the entire infrastructure, almost as they had on-permises. At the same time you can leverage more DevOps practices and at the end have every team responsible for their own work.

Kusto examlpe

Below is a simple example that will list all VMs and their processor time. You can create an alert straight from Azure Monitor logs (former Log Analytics) or start from a new alert.

 Perf | where ObjectName == "Processor" and CounterName == "% Processor Time" | summarize AggregatedValue = avg(CounterValue) by bin(TimeGenerated, 5m), Computer

Summary

You have the option to monitor multiple VMs using one Alert Rule in Azure Monitor already. But one limitation is that this solution will not add new VMs to the alert rule. And for the time being, it only supports virtual machines
Log alerts are dependent on your query. So as long as your data is available, you can alert on it. Whether it is a web app, a SQL server or a custom log.

With Log Alerts, the transition to a public cloud-based infrastructure might be easier. Your operations teams can use their knowledge and re-create their on-premises monitoring logic as searches.
Application alerts could still be handled by the developers, and you can provision those using ARM templates or similar.

PS: I was going to write a longer post on how to manage and programmatically create log alerts, but with these great examples in Microsoft docs, there’s no need to re-invent the wheel.

Community

Day Two Cloud Podcast

17/04/201923/04/2019
by Martin Ehrnst

Day Two Cloud is a podcast by Ned Bellavance. This podcast series is about what happens in the real world. Behind all the hype and buzzwords, what do hyper-scale and public cloud require?

In Day Two Cloud, Ned talks to people in the industry which have a story to share. Like what happened after successful cloud migration. Did everything work as you planned, or have you redesigned your whole project?

Digital Transformation Is More Than Just Cloud Migration

I was lucky to be invited as a guest in episode seven, where we talk about Digital transformation strategy in startups, government-owned, and larger organizations. What are their similarities and differences? What do they need help with, managing a public cloud?
The episode starts off by being fairly technical, but suddenly the conversation goes in a completely different and interesting direction. When we touch upon the human aspects of digital transformation.

Day Two Cloud is available on Packet Pushers and iTunes

Operations Manager

Cookdown for SCOM monitor, extend and integrate

08/04/201906/04/2019
by Martin Ehrnst

It’s been a while since I worked daily with SCOM. But I still get my hands dirty with my old friend from time to time. For many years I used most of my time extending SCOMs functionality and integrating with other enterprise systems. I created a REST API before the SCOM had this available, and I have also created alot of custom management packs with PowerShell script monitors.
SCOM is one of the most used enterprise monitoring systems around, and companies will rely on it for many years to come. Integrations with SCOM will still be a key for many organizations. Luckiliy, you got a friend.

Cookdown launch

Cookdown is a new initiative aiming to blow new life in to your existing investment in SCOM and deliver stuff like ServiceNow integration and Easy Tune to help you out with those pesky overrides.

The team behind Cookdown will host a launch webinar on April 10. And if you’re interested in integration and extensions for SCOM you should definitely attend.

Azure

Azure AD authentication in Azure Functions

28/03/201928/03/2019
by Martin Ehrnst

Ever had the need to enable Azure Active Directory authentication in Azure Functions? In a recent project I wanted to use Azure Functions, and I wanted both system-to-system authentication, as well as user based. As Azure Functions is a part of the app services in Azure. It share many of the same features. Authentication being one of them.

Enable authentication

The scope for this blog post is not to show you how to build an Azure function, but enable Azure AD authentication on it. You can add auth to your existing function or create a new one using your method of choice. For simplicity, I will show the process using the Azure portal.

To enable authentication in Azure Function. Navigate to “Authentication/authorization”. This wil open a series of blades which guides you through the process.

If your not familiar with Azure AD and custom application registrations, I recommend that you use the Express option. This will create the needed application in AAD for you.

Enable azure ad authentication in azure function

Change to anonymous authentication

By default Azure Function uses something called “Function authentication” This is where all your requests have a code parameter at the end of the URL.

https://my-function-app.azurewebsites.net/api/function-name?code=xyzx-zyxx...

We want to have Azure AD perform authentication and authorization, and not the function it self.

Within the GUI, its just a flick of a switch. If you are developing locally, using C# you typically do this:

 public static HttpResponseMessage (run
[HttpTrigger(
AuthorizationLevel.Anonymous)]
HttpRequestmessage request)
{
logic
}

Enable user assignment

After changing authorization level and enable AAD authentication, you can enable user assignment. You can skip this step if everyone in your organization shoul have access.

To enable user assignment. Navigate to enterprise application under AAD, and look up the app created by the wizard. The enterprise app is the service principal representing the application you created. Your Azure Function.

Under properties, find the swith for user assignment and turn it on. Navigate to your function URL and see if it works, meaning access denied.

Later add your own user and verify authentication works through Azure AD.

If you want other applications (clients) to call your function, you will have to assign them API access. The same way you give access to for example Microsoft Graph API, you will find your custom application as well.

But. This will not work right away. By default, there are no application roles assigned. Only delegated permissions. For client authentication to work, you will need to add custom roles to the app representing your Azure Function. It is not difficult, but I used too much time finding it out. Mocrosoft has it documented here

Authenticate with code

Chances are that your azure function is not a graphical website. Therefore I assume you want to authenticate using code. Either with your own user, or with a separate application/secret combination (app credentials).

The great thing about this is that it works just as any other Microsoft/Azure APIs. If you know how to get a token from Microsoft, you can use the same techniques against your function. My example below show how to retrieve a token for our azure function, and use that bearer token against the function. I use a client application in this scenario.

Summary

This feature is great. I consider my self as a modern IT operations guy. And operations role these days requires more coding and scripting. It is super easy to expose things on the internet. But remember, it might also be just as easy to secure.
I have no idea on how to implement a authentication layer. And if i can use one of the best, i’m all aboard.

Azure Lighthouse why is it so important

Project Towboat

Delegated resource access

Cross tenant monitoring in Azure

Multi-tenant Log Analytics queries

Azure security center for all customers

Summary

Share this:

Metric alerts for Azure monitor logs

Enter Log alerts

Kusto examlpe

Summary

Share this:

Day Two Cloud Podcast

Digital Transformation Is More Than Just Cloud Migration

Share this:

Cookdown for SCOM monitor, extend and integrate

Cookdown launch

Share this:

Azure AD authentication in Azure Functions

Enable authentication

Change to anonymous authentication

Enable user assignment

Authenticate with code

Summary

Share this: