Cloud – Tunecom

How to use SNAT (Source Network Address Translation) for outbound Windows Virtual Desktop connections

admin.yannickd — Thu, 11 Feb 2021 17:31:04 +0000

During the lifecycle of your Windows Virtual Desktop environment, you might encounter the following issues.

The issue

Users not being able to browse certain websites
Random WVD hosts not being able to connect to specific 3rd party hosted web apps

Normal behavior

Since there is no physical network hardware layer you can troubleshoot, one of the rather obvious cases which are often overlooked is SNAT (Source Network Address Translation). In a traditional on-premises environment you would have a reverse proxy or other networking equipment in place that would translate all of your internal workspace IP Addresses to a single public IP address.

Root cause

Windows Virtual Desktop is an Azure Native solution built on IaaS. Virtual Machines running on Azure have direct internet connectivity by using the Azure backplane. Just like Microsoft 365 a wide range of public IP addresses and ports is used to connect to online services.

This wide range of public IP addresses might just be the reason for the previously mentioned issues.

The solution: Configuring SNAT on your Windows Virtual Desktop Host Pool

What is SNAT? The following Microsoft Docs site explains more in detail all of the possible options & configurations for SNAT.
In our use case, we want to use SNAT to masquerade our back-end WVD Host IP Addresses to a single Public IP address.

What is required? We need a Standard Public Azure Loadbalancer configured on top of our WVD hosts and a SNAT rule configured to allow outbound connections.

Deploying the solution

Let’s get started with deploying the new load balancer and assigning the SNAT rules to the WVD hosts.

Powershell Script

You can run the powershell script provided below or review it on my GitHub Repo.

#region clear variables & in memory parameters
$slb = $null
$vm = $null
$NI = $null
$natrules = $null
$NIConfig = $null
$ELBPurpose =  $null
$ELBlocation = $null
$SKU =  $null
#endregion

#region input variables
$ELBPurpose = "enter the purpose of your loadbalancer (ex. wvd)"
$ELBlocation = "enter the location of your loadbalancer (ex. westeurope)"
$SKU = "enter the SKU of your loadbalancer (ex. standard)"
$ELBResourceGroup =  "enter the resource group name of your loadbalancer (ex. prd-network-rg)"
#endregion

#region naming convention
$ELBconvention = "-elb"
$PIPconvention = "-pip"
$FrontEndConvention = "-fep"
$BackEndConvention = "-bep"
$OutboundRuleConvention = "-obr"

$ELBname = $ELBPurpose + $ELBconvention
$ELBpip = $ELBname + $PIPconvention
$ELBFrontEndName = $ELBname + $FrontEndConvention
$ELDBackEndPoolName = $ELBname + $BackEndConvention
$ELBOutboundRulename = $ELBname + $OutboundRuleConvention
#endregion

#region loadbalancer deployment

# Step 1: Create a new static public IP address
$publicip = New-AzPublicIpAddress -ResourceGroupName $ELBResourceGroup -name $ELBpip -Location $ELBlocation -AllocationMethod Static -Sku $SKU

# Step 2: Create a new front end pool configuration and assign the public IP
$frontend = New-AzLoadBalancerFrontendIpConfig -Name $ELBFrontEndName -PublicIpAddress $publicip

# Step 3: Create a new back end pool configuration
$backendAddressPool = New-AzLoadBalancerBackendAddressPoolConfig -Name $ELDBackEndPoolName


# Step 4: Create the actual load balancer
$slb = New-AzLoadBalancer -Name $ELBname -ResourceGroupName $ELBResourceGroup -Location $ELBlocation -FrontendIpConfiguration $frontend -BackendAddressPool $backendAddressPool -Sku $SKU

# Step 5: Assign the back end VMs to the loadbalancer
$VMs = Get-AzVM | Out-GridView -PassThru -Title "Select your WVD hosts"

foreach ($vm in $VMs) {
    $NI = Get-AzNetworkInterface | Where-Object { $_.name -like "*$($VM.name)*" }
    $NI.IpConfigurations[0].Subnet.Id
    $bep = Get-AzLoadBalancerBackendAddressPoolConfig -Name $ELDBackEndPoolName -LoadBalancer $slb
    $NI.IpConfigurations[0].LoadBalancerBackendAddressPools = $bep
    $NI | Set-AzNetworkInterface
}

# Step 6: Assign the outbound SNAT rules
$myelb = Get-AzLoadBalancer -Name $slb.Name
$myelb | Add-AzLoadBalancerOutboundRuleConfig -Name $ELBOutboundRulename -FrontendIpConfiguration $frontend -BackendAddressPool $backendAddressPool -Protocol "All"

# Step 7: Configure the loadbalancer
$myelb | Set-AzLoadBalancer

#endregion

The end result will look similar to below screenshots.

Warning!

The scripts are provided as-is, please be very careful and test run the scripts on a “test” environment or an environment that allows you to perform some quick checks and tests. Adding a standard load balancer with no SNAT rules can cause internet connectivity loss for Windows Virtual Desktop users.

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in adding SNAT rules to WVD.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to use SNAT (Source Network Address Translation) for outbound Windows Virtual Desktop connections appeared first on Tunecom.

How to retrieve lingering FSLogix profiles on Windows Virtual Desktop, mounted from an Azure File share

admin.yannickd — Mon, 01 Feb 2021 19:13:15 +0000

In the last couple of months, we’ve seen the following strange behavior coming from an FSLogix profile, mounted on a Windows Virtual Desktop host with an Azure File share as an underlying storage provider.

The issue

In some very particular cases it happens that when a user logs off its session from a WVD (Windows Virtual Desktop) host, the corresponding FSLogix profile is not dismounted from the host.

When the user tries to login again to the environment, this results in the following error.

Status : 0x0000000B : Cannot open virtual disk
Reason : 0x00000000 : The container is attached
Error code : 0x00000020 : The process cannot access the file because it is being used by another process

Normal behavior

During normal behavior of the login and log off process to Windows Virtual Desktop in combination with an FSLogix profile, the profile is mounted from the underlying storage provider and correctly dismounted upon successful log off of the Windows Virtual Desktop host.

Root cause

The root cause of why the profile container is not dismounted from the host is hard to find, in most cases, an update of the FSLogix components is required, please make sure to read through the latest FSLogix release notes.

Looking for the lingering VHD(X) container

During the days that we had our profile shares/data hosted on a traditional IaaS fileserver, we would just open up an MMC console and look for any open files or sessions.

Since our profiles are now being hosted on an Azure File share, this process is slightly different. I’ve written a small PowerShell script for you to use and/or alter to your needs.

What it does or can do

The input variables are pretty straightforward :

Mode: You can alert or react to a possible lingered FSLogix profile (under construction)
ProfileStorageAccount: You need to provide the storage account name where you store your FSLogix containers
ProfileShare: Following your storage account, we also need the specific file share
StorageAccountResourceGroupName: Our resource group name where our storage account is located is required

Note: The script is currently “designed” to query only one storage account/file share, and only one host pool per run. You could of course alter this to check all host pools and related storage accounts.

The script loops through your active Windows Virtual Desktop sessions and active storage handles.

It then checks each storage handle, whether or not it has a corresponding active WVD session. If not you are presented with the virtual machine name where the FSLogix container is mounted.

Powershell Script

Save this PowerShell script as “Clean-LingeringFSLogixProfiles.ps1” Read through the blog post to retrieve the InVM script. The scripts can be download from my GitRepo as well.

<#
.SYNOPSIS
    Dismount lingering FSLogix VHD(X) profiles.

.DESCRIPTION
    Dismount lingering FSLogix VHD(X) profiles.

.PARAMETER Mode
    Provide the execution mode of the script.
    Alerting : Generates an alert whenever a lingering FSLogix VHDX profile is found
    React : Tries to dismount the lingering FSLogix Profile on the host where it is attached

.PARAMETER ProfileStorageAccount
    Provide the storage account where the FSLogix profiles are located

.PARAMETER ProfileStorageAccount
    Provide the fileshare where the FSLogix profiles are located

.PARAMETER StorageAccountResourceGroupName
    Provide the resource group name of your storage account

.PARAMETER OverrideErrorActionPreference
    Provide the ErrorActionPreference setting, as descibed in about_preference_variables.
    (https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7#erroractionpreference).
    When running locally we should use "Break" mode, which breaks in to the debugger when an error is thrown.

.EXAMPLE
    PS C:\> .\Clean-LingeringFSLogixProfiles.ps1 -Mode "Alerting" -ProfileStorageAccount "storageaccountname" -ProfileShare "profileshare" -StorageAccountResourceGroupName "resourcegroupname"

#>
[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)]
    [ValidateSet('alerting', 'react')]
    [string]
    $Mode,
    [Parameter(Mandatory = $true)]
    [string]
    $ProfileStorageAccount,
    [Parameter(Mandatory = $true)]
    [string]
    $ProfileShare,
    [Parameter(Mandatory = $true)]
    [string]
    $StorageAccountResourceGroupName,
    [Parameter(Mandatory = $false)]
    [string]
    $OverrideErrorActionPreference = "Break"
)

$ErrorActionPreference = $OverrideErrorActionPreference

# The following cmd retrieves your storage account details and puts it in a context variable
$context = Get-AzStorageAccount -ResourceGroupName $StorageAccountResourceGroupName -Name $ProfileStorageAccount

#region retrieve details per hostpool
# Retrieves the hostpools => Alter the script here to check for additional host pools
$hostpools = get-azwvdhostpool
foreach ($hostpool in $hostpools) {
    $wvdrg = Get-AzResource -ResourceId $hostpools.Id
    # This is tricky, so if you only need 1 host pool remove the foreach loop completely and comment the line below
    $hostpools = $hostpool


    #region gather all open files & sessions
    $OpenFiles = Get-AzStorageFileHandle -Context $Context.Context -ShareName $ProfileShare -Recursive
    $UserSessions = Get-AzWvdUserSession -HostPoolName $hostpools.Name -ResourceGroupName $wvdrg.ResourceGroupName | Select-Object ActiveDirectoryUserName, ApplicationType, SessionState, UserPrincipalName, name
    #endregion

    #region fill Open Files array
    $pathusers = @()
    foreach ($openfile in $OpenFiles) {

        If ($openfile.path) {
            #Write-host $openfile.Path
            $FilePath = $openfile.Path.Split("/")[0]
            $pathusers += $FilePath
        }
    }
    $pathusers = $pathusers | Select-Object -Unique
    #endregion

    #region fill Open Sessions array
    $sessionusers = @()
    foreach ($usersession in $UserSessions) {

        If ($usersession) {
            #Write-host $usersession
            $Username = $UserSession.ActiveDirectoryUserName.Split("\")[1]

            $sessionusers += $Username
        }
    }
    $sessionusers = $sessionusers | Select-Object -Unique
    #endregion

    #region loop through every open file and find a corresponding user session
    foreach ($pathuser in $pathusers) {
        If ($sessionusers -contains $pathuser) {
            Write-host -ForegroundColor green "Active session user: " $pathuser
        } else {
            If ($mode -eq "alerting") {
                $OpenFilesDetails = Get-AzStorageFileHandle -Context $Context.Context -ShareName $ProfileShare -Recursive | Where-Object { $_.Path -like "*$($pathuser)*" }
                # the following retrieves the virtual machine name of the lingering VHDX file
                $IPNic = ((Get-AzNetworkInterface | Where-Object { $_.IpConfigurations.PrivateIpAddress -eq $($OpenFilesDetails.ClientIp.IPAddressToString[0]) }).virtualmachine).Id
                $vmname = ($IPNic -split '/') | Select-Object -Last 1
                $VM = Get-AzVm -Name $vmname
                Write-host -ForegroundColor red "Inactive session user: $pathuser has a FSLogix mounted on the following virtual machine $vmname"
            } Else {
                $OpenFilesDetails = Get-AzStorageFileHandle -Context $Context.Context -ShareName $ProfileShare -Recursive | Where-Object { $_.Path -like "*$($pathuser)*" }
                # the following retrieves the virtual machine name of the lingering VHDX file
                $IPNic = ((Get-AzNetworkInterface | Where-Object { $_.IpConfigurations.PrivateIpAddress -eq $($OpenFilesDetails.ClientIp.IPAddressToString[0]) }).virtualmachine).Id
                $vmname = ($IPNic -split '/') | Select-Object -Last 1
                $VM = Get-AzVm -Name $vmname
                Write-host -ForegroundColor red "Inactive session user: $pathuser has a FSLogix mounted on the following virtual machine $vmname"
                # double check whether or not you want to dismount the profile
                $YesNo = Read-Host "Are you sure you want to dismount the user profile off $pathuser on the following server $vmname: Yes/No"
                If ($YesNo -eq "Yes")
                {
                    $domainupn = Read-Host "Please enter your domain admin username:"
                    $domainpwd = Read-Host "Please enter your domain admin password:"
                    $runDismount = Invoke-AzVMRunCommand -ResourceGroupName $VM.ResourceGroupName -Name $VM.Name -CommandId 'RunPowerShellScript' -ScriptPath "scripts\AzVMRunCommands\Clean-InVMLingeringFSLogixProfiles.ps1"  -Parameter @{"Upn" = "$domainupn"; "Pass" = "$domainpwd";"pathuser" = $pathuser }
                    If ($runDismount.Status -Ne "Succeeded") {
                        Write-Error "Run failed"
                    }
                    else {
                        Write-Host "FSLogix profile has been dismounted for $($pathuser) on $($vmname)"
                    }
                }
            else {
                # Exit script
                Write-Host "We are now exiting the script, you've entered the wrong option: Yes/No is required"
                Exit
            }
            }
        }
    }
    #endregion
}
#endregion

InVM Powershell Script

Before launching the script above, make sure to save the script that needs to be run within the virtual machine.

Save the PowerShell script below as “InVMLingeringFSLogixProfiles.ps1” and alter the script path in the script above. The scripts can be download from my GitRepo as well.

param (
    [Parameter(Mandatory = $true)]
    [string]
    $pathuser,
    [Parameter(Mandatory = $true)]
    [string]
    $upn,
    [Parameter(Mandatory = $true)]
    [string]
    $pass,
    [Parameter(Mandatory = $false)]
    [string]
    $OverrideErrorActionPreference = "Break"
)

#This script is run within the virtual machine

$ziptargetfolder = "c:\troubleshooting\"
$innerscriptlocation = $ziptargetfolder + "Dismount-VHD.ps1"

If (!(Test-Path $ziptargetfolder)) {
    mkdir $ziptargetfolder
}

@"
`$ProfileNamingConvention = "Profile-" + "$pathuser"
`$Volume = Get-Volume | Where-Object { `$_.filesystemlabel -eq `$ProfileNamingConvention } | % { Get-DiskImage -DevicePath `$(`$_.Path -replace "\\`$") }
Dismount-DiskImage -ImagePath `$Volume.ImagePath
"@ | Out-File -FilePath $innerscriptlocation

$taskName = "Dismount-FSLogixProfile"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -NoLogo -NonInteractive -ExecutionPolicy Unrestricted -File $innerscriptlocation" -WorkingDirectory $ziptargetfolder
$Settings = New-ScheduledTaskSettingsSet -Compatibility Win8
$TaskPath = "\CustomTasks"
Register-ScheduledTask -TaskName $taskName -User $upn -Password $pass  -RunLevel Highest -Action $Action -Settings $Settings


Start-ScheduledTask -TaskName $taskName -TaskPath $TaskPath
while ((Get-ScheduledTask -TaskName $taskName).State -ne 'Ready') {
    Start-Sleep -Seconds 2
}

Unregister-ScheduledTask -TaskName $taskName -Confirm:$False
Remove-Item -Path $innerscriptlocation -Recurse -Force

Warning!

The scripts are provided as-is, please be very careful and test run the scripts on a “test” environment or an environment that allows you to perform some quick checks and tests. Dismounting VHD(X) files can cause unwanted effects when performed against an Active user.

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in troubleshooting FSLogix profile mounting issues.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to retrieve lingering FSLogix profiles on Windows Virtual Desktop, mounted from an Azure File share appeared first on Tunecom.

How to monitor Azure Migrate replication issues

admin.yannickd — Mon, 25 Jan 2021 18:32:53 +0000

When migrating virtual or physical servers to Microsoft Azure with Azure Migrate you would like to monitor replication health.

Azure Migrate does provide a built-in solution for this within the Azure Migrate project(s). You can manually review the status or use PowerShell to retrieve the replication health of your IaaS machines. However, this lacks some kind of notification or alerting mechanism.

If you’re interested in how to automatically get notified when something goes wrong, please continue reading below.

A look under the hood of Azure Migrate

When looking at the bundle of products included in an Azure Migrate project, one key product is Azure Site Recovery (ASR) which is part of Recovery Services Vault.

Azure Site Recovery is used to replicate your origin machines to Azure.
This means that when we encounter any replication issues, we will have to look at our replication product in place.

When browsing the Recovery Services Vault blade, scroll down to the “Monitoring” section and select “Site Recovery Events“

On the “Site Recovery Events” page you will see a very similar page as displayed in the Azure Migrate Events page. Select “E-mail Notifications“

Enable the “E-mail notifications” by selecting On, select “Other administrators” if you want to set up alerts to non-Azure Services admins/co-admins. Enter an e-mail address and select save.

Whenever a new site recovery event or alert is triggered you will receive a mail notification.

Powershell

#Select your Azure Site Recovery Services Vault
$rsv = Get-AzRecoveryServicesVault | Out-GridView -OutputMode Single

#Set the recovery services vault context
Set-AzRecoveryServicesAsrVaultContext -Vault $rsv

#Retrieve current alerting configuration
Get-AzRecoveryServicesAsrAlertSetting

#Set alerts (Remove -EnableEmailSubscriptionOwner if you do now want the default owners to be notified)
$EmailAddressess = "test.test@test.be"
Set-AzRecoveryServicesAsrAlertSetting -CustomEmailAddress $EmailAddressess -EnableEmailSubscriptionOwner

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in your Azure Migration journey.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to monitor Azure Migrate replication issues appeared first on Tunecom.

How to resolve WVD-Agent service is being stopped: NAME_ALREADY_REGISTERED, This VM needs to be properly registered in order to participate in the deployment

admin.yannickd — Fri, 15 Jan 2021 14:24:14 +0000

On some occasions, you might find yourself battling with an unavailable Windows Virtual Desktop Host in your WVD Host pool and restarting the RDAgentBootLoader service like a maniac.

The following picture shows our host which is unavailable.

Logged on to the host, we can see that the RDAgentBootloader has stopped.

Looking at the event log of the specific host, you’ll see an error entry each time you try to restart the RDAgentBootLoader service.

Error message: How to resolve WVD-Agent service is being stopped: NAME_ALREADY_REGISTERED, This VM needs to be properly registered in order to participate in the deployment

Below you can find the steps to resolve this issue

Step 1: Remove the session host from the host pool

Navigate to the host pool section, select your host. When you click on the settings icon, you can remove the host from the host pool.

Step 2: Generate a new host pool registration token

If you have just installed the RDAgent & RDAgentBootloader, please skip step 2 and go to step 3.1. If you are not sure whether the RDAgent install went fine and you’ve entered a registration key before. Continue here.

Navigate to your host pool and select “Registration key”.

Select “Generate new key”.

Enter an expiration date and time for this specific key and select “OK”.

You can now copy or download the registration key.

Continue to step 3.2

Step 3.1: Restart RDAgentBootloader service

Restart the RDAgentBootloader service or restart the entire virtual machine if you feel more comfortable in doing so.

Step 3.2: Re-install RD Agents

On your WVD host download the latest version of the following software:

RDAgent: link to Microsoft Docs

RDAgentbootloader: link to Microsoft Docs

If you have previously installed the RDAgent & RDAgentBootLoader, make sure to remove it first.

During the installation process of the RDAgent, you will be prompted to enter the registration key. Fill in the key that you have copied or downloaded.

After having installed the RDAgent, please install the RDAgentBootLoader.

Reboot the WVD host and verify if the host is available in the pool again.

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in resolving this issue.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to resolve WVD-Agent service is being stopped: NAME_ALREADY_REGISTERED, This VM needs to be properly registered in order to participate in the deployment appeared first on Tunecom.

How to clean up replica disks after VMWare Virtual Machine migration with Azure Migrate

admin.yannickd — Wed, 06 Jan 2021 11:08:32 +0000

During the lifecycle of an Azure IaaS migration project with Azure Migrate, it is advised to perform some additional cleanup actions once you have migrated a certain set of virtual machines.

The migration process

The following migration process is usually followed when migrating VMWare VM’s to Azure IaaS VM’s with Azure Migrate.

Deploy Azure Migrate appliance
Run Discovery Assessment
Verify Application Dependency
Create server migration groups
Start replication with associated replication parameters
Perform test migration
Cleanup test migration
Perform final migration
Cleanup obsolete ASR disks!

Step 5 demystified – start replication

Starting as of step 5, the Azure Migrate appliance will be using Azure Site Recovery to start replicating your on-premises VMDK (virtual disk) files to the Subscription & Resource Group that you have selected in the migration settings.

Azure Site Recovery Disks

As you can see, a specific naming convention is applied by default to the ASR disks.

asrseeddisk-(VMName)-GUID

Step 6 demystified – run test migration

Once the initial delta sync of your virtual machine has been completed, you are now able to perform a test migration.

There are multiple reasons why you should perform a test migration, a major one is to find out if your server and corresponding applications are working properly in Azure.

During the test migration, a snapshot is taken of the ASR disks and a new virtual machine is being created based upon your migration settings.

Please note that your VM is being created with a “test” suffix, to indicate that this machine is being “test migrated”.

The virtual disk names can be altered in the migration settings pane, however, it is advised to keep the disk names as is, to avoid any confusion.

At this point, you will have 3 replica sets of your virtual machine disks.

The source on-premises VMDK files
The replication Azure Site Recovery disks
The target Azure Virtual Machine disks

Step 7 demystified – clean up test migration

Once you’ve confirmed that your virtual machine is Azure capable and corresponds to your needs, you can clean up the test migration.

Before cleaning up the test migration, make sure that you have documented or automated the steps that you have performed on this virtual machine. All changes made on the “test migration” Virtual Machine will be lost.

When performing a clean up of the test migration, the virtual machine and corresponding managed disks are being deleted.

Step 8 demystified – Perform final migration

During the final migration step, a final sync of the on-premises virtual machine will be made.

It is advised to mark the “shutdown local machine” option when performing the migration, this ensures that no data is being altered on the machine which is being migrated

Like the test migration step, a new virtual machine is being created based on a snapshot of the latest version of the ASR disks. Once the migration has been completed. Make sure to validate the server en perform the necessary actions that you have performed during the test migration.

Your new virtual machine name will now have the exact naming convention as your on-premises virtual machine, including the attached virtual disks.

Step 9 demystified – Clean up ASR disks

When looking at your Azure Migrate project, you will find a mix of servers that have been migrated and/or are pending a test migration or clean up.

When browsing to your VM in Azure Migrate, select disks. Note down the replica disk names, these are the replica disks that are still stored as a managed disk within your target resource group.

To clean up the ASR disks, make sure to stop the replication as soon as your migration has been completed.

After having stopped the replication, the managed disks are deleted from your resource group.

Automation Script

Below script can be used in order to automate the clean up of migrated virtual machines.

#Migration Project Input Variables
$AzMigrateProjectName = "project name here"
$AzMigrateSubscriptionID = "subscription id here"
$AzMigrateResourceGroupName = "resource group name here"

#Required Modules
Write-Output "Required modules loading"
#Requires -Modules @{ ModuleName="Az.Accounts"; ModuleVersion="2.2.3" }
#Requires -Modules @{ ModuleName="Az.Migrate"; ModuleVersion="0.1.1" }

Import-Module Az.Accounts
Import-Module Az.Migrate

#Account Login
Disconnect-AzAccount
Login-AzAccount

Set-AzContext -SubscriptionId $AzMigrateSubscriptionID

#Clean up
$MigrationProject = Get-AzMigrateProject -Name $AzMigrateProjectName -SubscriptionId $AzMigrateSubscriptionID -ResourceGroupName $AzMigrateResourceGroupName

$MigrationStatus = Get-AzMigrateServerReplication -ResourceGroupName $AzMigrateResourceGroupName -ProjectName $AzMigrateProjectName -SubscriptionId $AzMigrateSubscriptionID | Where-Object {$_.MigrationState -eq "MigrationSucceeded"} | select MachineName, MigrationState, AllowedOperation, Id

foreach ($migrationobject in $MigrationStatus) {
    $ObjectID = Get-AzMigrateServerReplication -TargetObjectID $migrationobject.id
    Write-host "Following replication job will be removed: " $migrationobject.MachineName -foregroundcolor green
    Remove-AzMigrateServerReplication -InputObject $ObjectID
}

Thank you!

Thank you for reading through this blog post, I hope I have been able to assist in keeping your Azure Migration journey as lean and mean as possible.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to clean up replica disks after VMWare Virtual Machine migration with Azure Migrate appeared first on Tunecom.

How to fix “The Azure Migrate unified appliance is in a disconnected state, Ensure that the appliance is running and has connectivity before proceeding” issue

admin.yannickd — Mon, 04 Jan 2021 14:05:24 +0000

When re-hosting or migrating traditional IaaS servers located on VMWare you might encounter one of the following issues when trying to setup your replication towards Azure.

The case

You have a single Azure Migrate appliance, which you have used to perform the suitability analysis and you’ve enabled the same appliance in the migration project as well.

Which means that we will be targeting an agentless migration.

The issue

The Azure Migrate Virtual Appliance ‘appliance name’ is in a disconnected state, please verify network connectivity.

The resolution

The following troubleshooting steps should help you resolve this issue.

Step 1: Verify agent health on the appliance

Step 2: Re-run the configuration wizard and verify your settings

Step 3: Re-enter your Azure Credential

Step 4: Restart de replication and gateway services

Run the following commands in an administrative powershell or cmd prompt.

Net Stop asrgwy
Net Start asrgwy
Net Stop dra
Net Start dra

Step 5: Verify service health

Check your connection status in the Appliances blade of the Azure Migrate resource on the Azure Portal.

Ready to migrate

Thank you!

Thank you for reading through this blog post, I hope I have saved you some time on researching the disconnected state issue.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to fix “The Azure Migrate unified appliance is in a disconnected state, Ensure that the appliance is running and has connectivity before proceeding” issue appeared first on Tunecom.

How to fix RD Client iOS error code 0x3000015 for Windows Virtual Desktop

admin.yannickd — Fri, 17 Apr 2020 06:54:29 +0000

Many of you who tried out the new iOS Remote Desktop client app to connect to Windows Virtual Desktop might have encountered an error during subsequent attempts when adding a new workspace to your RD Client app.

0x3000015, a screen smasher for sure!

To avoid hitting the repair shop for a new screen, let me walk you through a couple of steps to fix this issue.

Setting the stage:

Starting with the screenshots below, I already have a workspace configured which points to 2 of my Windows Virtual Desktop tenants.

For the purpose of this demo and blog, I would like to setup a new workspace, so I can connect to another series of virtual desktops.

When pressing the “Edit” button, select “delete”

Press “delete” again in order to confirm and permanently delete that workspace.

Great so far, no workspaces to show:

Now let’s hit the “+” sign

And select “Add Workspace”

Enter the Windows Virtual Desktop webfeed url : “https://rdweb.wvd.microsoft.com” and enter next

You’re then prompted to authenticate against your Azure Active Directory Tenant , so use your e-mail address or UPN (User Principal Name) that has access to a Windows Virtual Desktop workspace to login.

Awesome, here is my new workspace, and as you can see I have a session desktop available to launch.

Now, you would expect that if you select your session desktop, you’ll end up in your Windows 10 environment..

Guess again! 0x3000015, “we couldn’t connect to the remote desktop gatexway because of an internal error. If this keeps happening contact your network administrator for assistance.”

Now, let me be that network administrator for you today!

In order to resolve this issue, follow the steps below!

Fixing the issue

To start of with a clean sheet, close all open apps on your iOS device and navigate to the settings pane.

Scroll down through your apps until you reach the RD Client app.

Select the RD Client app.

And scroll down to the “WVD Security Tokens” setting. Slide this slider to the right and make sure it’s green and selected.

Enable “Delete on App Launch” in the “WVD Security Tokens” settings

Back to our Virtual Desktop

Now let’s navigate back to our Remote Desktop Client app.

And launch your previously added desktop

Enter your username and password

Woohoo! Here we have our rich Windows 10 experience on iOS provided by Windows Virtual Desktop.

Thank you!

Thank you for reading through this blog post, I hope I have saved you some time on researching the 0x3000015 error message.

If you encounter any new insights, feel free to drop me a comment or contact me via mail or other social media channels

The post How to fix RD Client iOS error code 0x3000015 for Windows Virtual Desktop appeared first on Tunecom.

Teams on Windows Virtual Desktop (TeamsOnWVD Powershell Module)

admin.yannickd — Fri, 10 Apr 2020 13:26:29 +0000

In this post I want to guide you in how to install Microsoft Teams (Machine-Wide) on Windows Virtual Desktop with a very easy to use powershell module called TeamsOnWVD.

Why?

Let me first set the stage and the reason why I’ve written this small powershell module.

When browsing the web for best practices on installing Microsoft Teams on Windows Virtual Desktop, I often encountered colleagues struggling with getting the Microsoft Teams (Machine-Wide) installer up and running. And a lot of questions have been raised as well with regards to un-installing teams completely.

With this powershell module, I hope to provide an added value to installing and un-installing Teams in just minutes.

How it works

Below you can find a step by step guide on how to use the powershell module, and see it’s effects on your systems.

Installing Teams on WVD – Step by step

Below screenshot is a view on my Windows Virtual Desktop Host, as you can see in the start menu, I don’t have any entries so far for Microsoft Teams.

And if I take a look at my App & Features, nothing to show here as well.

An important step, before you install Teams on your Windows Virtual Desktop host, is the Teams regkey, that indicates that it is a WVD environment:

@Christaan Brinkhoff has a summarizing blogpost on all WVD recommendations. Check here for more details.

This is the regkey we will be needing:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Teams\IsWVDEnvironment] Type: REG_DWORD Value: 0x1

As you can see in the screenshot below, that registry key is missing.

Now, let’s go to our TeamsOnWVD module, follow the steps in the screenshot below to install and import the module.

Install-Module TeamsOnWVD
Import-Module TeamsOnWVD
Get-Module -Name TeamsOnWVD

After having imported the TeamsOnWVD module, run the install-teams64bit command.

Install-Teams64bit

And this is where the magic happened, we’ve made sure that the registry key is added, and downloaded the latest version of the Teams msi file and installed it with the right set of parameters.

After running the cmdlet, Teams has been published on our desktop and is ready to be launched.

Below screenshot shows that our registry key is available now.

Launching Teams

So, we’ve installed Microsoft Teams, let’s make sure that everything works for our end-users.

The screenshot below allows me to connect to one of my session desktops.

After have connected to my desktop, Microsoft Teams is auto-launching in my session.

And here we go, we have a fully functioning Microsoft Teams client on Windows Virtual Desktop, which is available to all my users.

Un-installing Teams on WVD and other systems

If we want to un-install Microsoft Teams on our WVD hosts, we have a couple of things to check.

First of let us check which versions of Teams are available, below screenshot only indicates the “Machine Wide” installer, but User installed Teams versions might be here as well.

The registry key that we needed earlier is still there, so we might want to clean that one up.

To quickly uninstall all versions on Teams on your WVD hosts, run the Remove-Teams64bit cmdlet. This will check for any versions installed on your system and will cleanup all end-user repositories and the registry key.

Remove-Teams64bit

During the removal process, you will see that the Teams Icon is removed from my desktop.

And the registry key has been removed.

My Apps & Features have been cleaned up as well.

And last but not least, no more entries when searching in Windows Search.

Thank you for your support

Thank you al for reading and discovering my recent blog-post, if you encounter any issues while downloading and using the TeamsOnWVD powershell module. Reach out to me, so I can make the necessary improvements and help you out as soon as possible.

The post Teams on Windows Virtual Desktop (TeamsOnWVD Powershell Module) appeared first on Tunecom.

Moving your data to a serverless infrastructure with Azure Files and Active Directory Authentication (Preview)

admin.yannickd — Fri, 28 Feb 2020 07:22:43 +0000

A couple of days ago, Microsoft announced the public preview of Windows Server Active Directory authentication / integration for Azure Files. Make sure to check-out the introduction video by Will Gries (Senior Program Manager) and Thomas Maurer (Senior Cloud Advocate)

This is probably one of the most requested feature releases since the ability to create file shares on Azure Storage.
In the recent past, Microsoft enabled Active Directory Authentication and setting ACLs coming from their Azure AD Domain Services solution.

Now it’s time to integrate this with our existing Windows Server Active Directory Infrastructure

Long story short

We are now able to set NTFS permissions and ACLs based on our existing Windows Server AD on an Azure Fileshare. This blogpost takes you through the necessary steps to automate the process shown below.

Now the long(er) story ?

Before we can activate all of this, we have a couple of prerequisites:

1. Windows Server Active Directory needs to be synchronized with Azure Active Directory

2. You need an Azure Storage account with an Azure File share which is NOT located in one of the following regions.

West US
West US 2
East US
East US 2
West Europe
North Europe

! Run the following script if you like to create a new storage account

Background info: Change the initial variables to meet your environment needs, I have chosen France Central as a region to deploy our Storage Account.

Download the script here, or copy paste the scriptblock below. After running the script you’ll see that new or additional file shares have been created.

Azure Files

Powershell Script

########################
#
# Name: Azure Files Create Storage Account
# Author: Yannick Dils
# Version: v0.1
#
########################

Write-Host "Let's get started" -ForegroundColor Magenta
Sleep 3

########################
#
# Install or import the required modules
#
########################

start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Accounts  -RequiredVersion 1.6.4 -Force" -WindowStyle Hidden
Import-Module Az.Accounts
start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Resources  -RequiredVersion 1.11.0 -Force" -WindowStyle Hidden
Import-Module Az.Resources
start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Storage  -RequiredVersion 1.11.0 -Force" -WindowStyle Hidden
Import-Module Az.Storage

########################
#
# Create Naming Convention + Location and Name Variables
#
########################

Write-Host "Step 1 : Let's define some variables and naming conventions`n" -ForegroundColor Cyan

Write-Host "Enter a 3 letter word abbreviation for your customer or project (example: tuc, vdc) : " -ForegroundColor Yellow -NoNewline
$Cus = Read-Host
Write-Host "Enter a 3 letter word abbreviation for your environment (example: hub, prd, tst, dev, acc) : " -ForegroundColor Yellow -NoNewline
$Env = Read-host
$FullLocation = "France Central"
$NamingConv = "st" + "lrs" + $Cus + "frc" + $Env + "file"
$SAFILE = $NamingConv
$RGDATA = $Cus + "-hub-storage-rg"
Write-Host "Enter a name for your fileshare (example: fileserver, profiles,..) : " -ForegroundColor Yellow -NoNewline
$FileShareName = Read-host


Write-Host "`nStep 2 : Based on the naming convention provided in the script, the following has been identitfied:`n" -ForegroundColor Cyan
Write-Host "Location : $FullLocation"  -ForegroundColor Green
Write-Host "Storage Account Name : $SAFILE" -ForegroundColor Green
Write-Host "Fileshare Name : $FileShareName" -ForegroundColor Green

Write-Host "Resource Group Name : $RGDATA" -ForegroundColor Green


########################
#
# Login to Az Account
#
########################

Write-Host "`nStep 3 : Before we continue, we need to log you into your Azure Account" -ForegroundColor Cyan

Login-AzAccount

########################
#
# Select the Azure Subscription where you want to create your storage account
#
########################

$Subscriptions = Get-AzSubscription
Write-Host "Step 4 : These are your available subscriptions`n" -ForegroundColor Cyan
Write-host $Subscriptions.Name -ForegroundColor Cyan -BackgroundColor Black

Write-Host "`nStep 5 : Enter the subscription name : " -ForegroundColor Yellow -NoNewline
$SubscriptionName = Read-host
Select-AzSubscription -Subscription $SubscriptionName



########################
#
# Verify if an existing resource group exists with the name in variable $RGDATa, create a new one if not
#
########################


$RG = Get-AzResourceGroup -Name $RGDATA -ErrorAction SilentlyContinue

If ($RG)
        {
        Write-Host "Step 6 : A Resource Group already exists with the name $RGDATA, no need to create one" -ForegroundColor Cyan
        }
Else
        {
        Write-Host "Step 6 : A Resource Group is created with the name $RGDATA" -ForegroundColor Cyan
        New-AzResourceGroup -Name $RGDATA -Location $FullLocation
        }

########################
#
# Create a new Storage Account located in the $FullLocation region based on the input variables
#
########################

$SA = Get-AzStorageAccount -ResourceGroupName $RGDATA -Name $SAFILE.ToLower() -ErrorAction SilentlyContinue
$StorageShare = Get-AzStorageShare -Name $FileShareName -Context $sa.Context -ErrorAction SilentlyContinue

If ($SA)
        {
        Write-Host "Step 7 : A Storage Account already exists with the name $SAFILE, no need to create one" -ForegroundColor Cyan

        If ($StorageShare)
                {
                Write-Host "Step 8 : A File Share already exists with the name $FileShareName, no need to create one" -ForegroundColor Cyan
                }
        Else
                {
                Write-Host "Step 8 : A File Share is created with the name $FileShareName" -ForegroundColor Cyan
                New-AzStorageShare -Name $FileShareName -Context $SA.Context
                }




        }
Else
        {
        Write-Host "Step 7 : A Storage Account is created with the name $SAFILE" -ForegroundColor Cyan
        New-AzStorageAccount -ResourceGroupName $RGDATA -Name $SAFILE.ToLower() -Kind StorageV2 -SkuName Standard_LRS -Location $FullLocation -AccessTier Hot
        Write-Host "Step 8 : A File Share is created with the name $FileShareName" -ForegroundColor Cyan
        $ctx = Get-AzStorageAccount -ResourceGroupName $RGDATa -Name $SAFILE
        New-AzStorageShare -Name $FileShareName -Context $ctx.Context

         }

Write-Host "End of script" -ForegroundColor Magenta


########################
#
# End of script
#
########################

SLeep 5

3. You need to join your Azure Storage account to the domain

Since it’s still in public preview, you need to perform a couple of manual steps in order to join your Azure Storage account to your Windows Server Active Directory Domain. Looking at Azure AD Domain Services, this is an additional switch / parameters you need to provide in order to allow Azure AD DS authentication. I assume that the product team will try to provide the same type of deployment feature with regards to joining your traditional active directory domain.

The following link provides you a step by step guide in how to perform the required steps to join your domain. So feel free to read through it. But wait!

I’ve taken the opportunity to automate the necessary steps and put it in the following script. Note: Make sure to run it from a domain joined machine or directly on your domain controller.

Download the script here, or copy paste the scriptblock below. After running the script your Azure Storage Account will be joined to the domain, this is how it could look like.

Computer Account Object

Powershell Script

########################
#
# Name: Azure Files Domain Join Script
# Author: Yannick Dils
# Version: v0.1
#
########################

Write-Host "Let's get started" -ForegroundColor Cyan
Sleep 3

########################
#
# Install or import the required modules
#
########################

start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Accounts  -RequiredVersion 1.6.4 -Force" -WindowStyle Hidden
Import-Module Az.Accounts
start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Resources  -RequiredVersion 1.11.0 -Force" -WindowStyle Hidden
Import-Module Az.Resources
start-process powershell –verb runAs -ArgumentList "Install-Module -Name Az.Storage  -RequiredVersion 1.11.0 -Force" -WindowStyle Hidden
Import-Module Az.Storage
start-process powershell –verb runAs -ArgumentList "Install-Module -Name ActiveDirectory -Force" -WindowStyle Hidden
Import-Module ActiveDirectory


########################
#
# Change the execution policy to unblock importing AzFilesHybrid.psm1 module
#
########################

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser -Force -ErrorAction SilentlyContinue

########################
#
# Download The AzFilesHybird powershell modules
#
########################

Write-Host "Step 1 : We will now download the Azure Files Hybrid powershell modules into a C:\Temp directory" -ForegroundColor Cyan


$DownloadLink = "https://github.com/Azure-Samples/azure-files-samples/releases/download/AzFilesHybrid-0.1.0.0/AzFilesHybrid.zip"
$TempDir = "C:\Temp"
$Output = "C:\Temp\AzFilesHybrid.zip"
$Path = Test-Path $TempDir

If ($Path -eq $true)
    {
    Write-Host "Step 2 : The C:\Temp path already exists, no need to create one" -ForegroundColor Cyan
    }
Else
    {
    Write-host "Step 2 : We are creating a temp directory C:\Temp" -ForegroundColor Cyan
    $DontShow = mkdir $TempDir

    }


(New-Object System.Net.WebClient).DownloadFile($DownloadLink, $output)

########################
#
# Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path
#
########################

cd $TempDir
Expand-Archive -LiteralPath $Output -DestinationPath $TempDir -Force
.\CopyToPSPath.ps1 

########################
#
# Import AzFilesHybrid module
#
########################


Import-Module -name AzFilesHybrid


########################
#
# Login with an Azure AD credential that has either storage account owner or contributer RBAC assignment
#
########################

Write-Host "Step 3 : Let's connect to our Azure Subscriptions" -ForegroundColor Cyan
Sleep 3
Connect-AzAccount

########################
#
# Select the Azure Subscription where your Storage Account is located
#
########################

$Subscriptions = Get-AzSubscription
Write-Host "Step 4 : These are your available subscriptions" -ForegroundColor Cyan
Write-host $Subscriptions.Name -ForegroundColor Cyan -BackgroundColor Black

Write-Host "Step 5 : Enter the subscription name : " -ForegroundColor Yellow -NoNewline
$SubscriptionName = Read-host
Select-AzSubscription -Subscription $SubscriptionName

########################
#
# Retrieve your current Windows Server Active Directory Domain Details
#
########################


$domaindetails = Get-ADDomain
#Register the target storage account with your active directory environment under the target OU
$Domain = $domaindetails.DNSRoot


########################
#
# Retrieve your Resource Groups and Storage Accounts located in your Azure Subscription
#
########################

#############
#
# Resource Groups
#
#############

$ResourceGroups = Get-AzResourceGroup | Select ResourceGroupName
Write-Host "Step 6 : These are the available resource groups: " -ForegroundColor Cyan
Foreach ($RG in $ResourceGroups)
    {
    Write-Host $RG.ResourceGroupName -ForegroundColor Cyan -BackgroundColor Black
    }
Write-Host "Step 7 : Enter the resource group name, where your Azure Files storage account is located: " -ForegroundColor Yellow -NoNewline
$ResourceGroup = Read-host 

#############
#
# Storage Accounts
#
#############


$StorageAccounts = Get-AzStorageAccount -ResourceGroupName $ResourceGroup

Write-Host "Step 8 : These are the available storage accounts : " -ForegroundColor Cyan

Foreach ($SA in $StorageAccounts)
        {
        Write-Host $SA.StorageAccountName -ForegroundColor Cyan -BackgroundColor Black
        }
Write-Host "Step 9 : Enter the storage account name, where your Azure Files share is located: " -ForegroundColor Yellow -NoNewline
$StorageAccount = Read-host

########################
#
# Create or use an Organizational Unit where our Azure Files storage account will be located
#
########################
$AzureFilesOUName = "AzureFiles"

Write-Host "Step 10 : We now want to join the Azure File Storage Accounts to the domain in an OU called $AzureFilesOUName" -ForegroundColor Cyan


$OU = Get-ADOrganizationalUnit -Filter 'Name -like $AzureFilesOUName'
If ($OU)
        {Write-Host "Step 11 : The AzureFiles OU Already Exists, no need to create one" -ForegroundColor Cyan}
Else
        {
        Write-Host "Step 11 : The OU needs to be created, we will now create a new OU called $AzureFilesOUName" -ForegroundColor Cyan
        $AzureFilesOU = New-ADOrganizationalUnit -Name $AzureFilesOUName
        }

########################
#
# Join the storage account into the domain, located in the required organizational unit
#
########################

Join-AzStorageAccountForAuth -ResourceGroupName $ResourceGroup -StorageAccountName $StorageAccount -Domain $Domain -DomainAccountType ComputerAccount -OrganizationalUnitName "Servers"

########################
#
# Verify Domain Join
#
########################

$azurefiles = Get-AzStorageAccount -ResourceGroupName $ResourceGroup -Name $StorageAccount

$ADService = $azurefiles.AzureFilesIdentityBasedAuth.DirectoryServiceOptions

Write-Host "Step 12 : Let us now verify if the directory service is ok" -ForegroundColor Cyan
Sleep 5

If ($ADService -eq "AD")
        {
        Write-host "Step 13 : All OK" -ForegroundColor Green
        }
Else
        {
        Write-host "Step 13 : Something went wrong ;)" -ForegroundColor Red
        }


Write-Host "Step 14 : Let us now verify if the directory authentication is ok" -ForegroundColor Cyan
Sleep 5

$ADInfo = $azurefiles.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

If ($ADInfo.DomainName -eq $Domain)
        {
        Write-host "Step 15 : All OK" -ForegroundColor Green
        }
Else
        {
        Write-host "Step 15 : Something went wrong ;)" -ForegroundColor Red
        }

Write-host "End of script" -ForegroundColor Cyan
Sleep 5

########################
#
# End of script
#
########################

4. Assign the required roles to your security principals.

Now that we have our storage account joined to the domain. We need to assign the right set of role based access controls on the Azure File Share level.

3 built-in roles can be identified to set access to the Azure File Share:

Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.
Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify permissions in Azure Storage file shares over SMB

The following script can assist you in setting the right set of permissions for a certain security principal. Note: The security principal must be entered in a UPN format (username@corp.something)

Download the script here, or copy paste the scriptblock below. After running the script you will be able to mount the Azure File share in the context of the security principal.

Powershell Script

########################
#
# Name: Azure Files RBAC
# Author: Yannick Dils
# Version: v0.1
#
########################


Write-Host "Let's get started" -ForegroundColor Cyan
Sleep 3

########################
#
# Set General Variables and Naming Conventions
#
########################

Write-Host "Step 1 : Let's define some variables and naming conventions" -ForegroundColor Cyan

Write-Host "Enter a 3 letter word abbreviation for your customer or project (example: tuc, vdc) : " -ForegroundColor Yellow -NoNewline
$Cus = Read-Host
Write-Host "Enter a 3 letter word abbreviation for your environment (example: hub, prd, tst, dev, acc) : " -ForegroundColor Yellow -NoNewline
$Env = Read-host
$FullLocation = "France Central"
$NamingConv = "st" + "lrs" + $Cus + "frc" + $Env + "file"
$SAFILE = $NamingConv
$RGDATA = $Cus + "-hub-storage-rg"
Write-Host "Enter a name for your fileshare (example: fileserver, profiles,..) : " -ForegroundColor Yellow -NoNewline
$FileShareName = Read-host



########################
#
# Set the names of the Azure Files Roles into Variables
#
########################

Write-Host "Step 2 : Let's store the Azure File Storage Roles into variables for later use" -ForegroundColor Cyan


$Reader = "Storage File Data SMB Share Reader" # R permissions
$Contributor = "Storage File Data SMB Share Contributor" # R W D permissions
$ElevatedContributor ="Storage File Data SMB Share Elevated Contributor" # R W D M permissions

########################
#
# Enter the specific group in UPN format and store them into variables
#
########################

Write-Host "Step 3 : Enter the security principal that needs to receive the required access controls (UPN format required):`n" -ForegroundColor Cyan
Write-Host "Read Group = Storage File Data SMB Share Reader # R permissions" -ForegroundColor Green
Write-Host "Contributor Group = Storage File Data SMB Share Contributor # R W D permissions" -ForegroundColor Green
Write-Host "ElevatedContributor = Storage File Data SMB Share Elevated Contributor # R W D M permissions`n" -ForegroundColor green

Write-Host "Enter the Reader Security Principal UPN Name : (Leave empty if not required) :" -ForegroundColor Yellow -NoNewline
$ReadGroup = Read-Host
Write-Host "Enter the Contributor Security Principal UPN name : (Leave empty if not required) :" -ForegroundColor Yellow -NoNewline
$ContributorGroup = Read-Host
Write-Host "Elevated Contributor Security Principal UPN name : (Leave empty if not required) :" -ForegroundColor Yellow -NoNewline
$ElevatedContributorGroup = Read-host

########################
#
# Set the scope onto our subscription and specific  Azure File Share
#
########################

Write-Host "`nStep 4 : Let's set our subscription scope`n" -ForegroundColor Cyan
Login-AzAccount
$Subscriptions = Get-AzSubscription
Write-Host "Step 5 : These are your available subscriptions`n" -ForegroundColor Cyan
Write-host $Subscriptions.Name -ForegroundColor Cyan -BackgroundColor Black

Write-Host "`nStep 6 : Enter the subscription name : " -ForegroundColor Yellow -NoNewline
$SubscriptionName = Read-host
Select-AzSubscription -Subscription $SubscriptionName
$Subscription = Get-AzSubscription -SubscriptionName $SubscriptionName

$SubScriptionID = $Subscription.SubscriptionId


$scope = "/subscriptions/$subscriptionID/resourceGroups/$RGDATA/providers/Microsoft.Storage/storageAccounts/$SAFILE/fileServices/default/fileshares/$fileShareName"

########################
#
# Let's assign the role to the specified security principal and scope
#
########################

##########
#
#  Reader Group
#
##########

If($ReadGroup -eq "")
        {
        Write-Host "You haven't entered any Reader Group, we will skip this role assignment for now" -ForegroundColor Yellow
        }
else
        {
        Write-Host "We are now verifying the  Reader Group role assignment for Security Principal $ReadGroup" -ForegroundColor Cyan
        $RoleAssignment = Get-AzRoleAssignment -SignInName $ReadGroup -RoleDefinitionName $Reader -Scope $scope -ErrorAction SilentlyContinue

        If ($RoleAssignment)
                {
                Write-host "The role assignment already exists, we don't need to add the specific assignment" -ForegroundColor Cyan
                }
        else
                {
                Write-Host "The role assignment is being created" -ForegroundColor Cyan
                New-AzRoleAssignment -SignInName $ReadGroup -RoleDefinitionName $Reader -Scope $scope
                }

        }




##########
#
#  Contributor Group
#
##########


If($ContributorGroup -eq "")
        {
        Write-Host "You haven't entered any Contributor Group, we will skip this role assignment for now" -ForegroundColor Yellow
        }
else
        {
        Write-Host "We are now verifying the  Contributor Group role assignment for Security Principal $ContributorGroup" -ForegroundColor Cyan
        $RoleAssignment = Get-AzRoleAssignment -SignInName $ContributorGroup -RoleDefinitionName $Contributor -Scope $scope -ErrorAction SilentlyContinue

        If ($RoleAssignment)
                {
                Write-host "The role assignment already exists, we don't need to add the specific assignment" -ForegroundColor Cyan
                }
        else
                {
                Write-Host "The role assignment is being created" -ForegroundColor Cyan
                New-AzRoleAssignment -SignInName $ContributorGroup -RoleDefinitionName $Contributor -Scope $scope
                }

        }



##########
#
# Elevated Contributor Group
#
##########

If($ElevatedContributorGroup -eq "")
        {
        Write-Host "You haven't entered any Elevated Contributor Group, we will skip this role assignment for now" -ForegroundColor Yellow
        }
else
        {
        Write-Host "We are now verifying the Elevated Contributor Group role assignment for Security Principal $ElevatedContributorGroup" -ForegroundColor Cyan
        $RoleAssignment = Get-AzRoleAssignment -SignInName $ElevatedContributorGroup -RoleDefinitionName $ElevatedContributor -Scope $scope -ErrorAction SilentlyContinue 

        If ($RoleAssignment)
                {
                Write-host "The role assignment already exists, we don't need to add the specific assignment" -ForegroundColor Cyan
                }
        else
                {
                Write-Host "The role assignment is being created" -ForegroundColor Cyan
                New-AzRoleAssignment -SignInName $ElevatedContributorGroup -RoleDefinitionName $ElevatedContributor -Scope $scope
                }

        }


   #Get-AzRoleAssignment -scope $scope

   Write-Host "`nEnd of Script" -ForegroundColor Cyan 

   Sleep 5

5. Mount the Azure File Share with elevated privileges and start configuring NTFS permissions.

In the previous section we’ve set the share level permissions, as with traditional file server installations or implementations, we would set an additional layer of security, called NTFS permissions.

By mounting the Azure File share together with storage access key you we are elevating our privileges, allowing us to set fine grained ACLs.

The following script will automatically mount the drive-letter you choose based on the Access Keys of your storage account

Download the script here or copy the scriptblock below.

Powershell Script

########################
#
# Name: Mount Azure File Share
# Author: Yannick Dils
# Version: v0.1
#
########################

Write-Host "Let's get started" -ForegroundColor Cyan
Sleep 3

########################
#
# Create Naming Convention + Location and Name Variables
#
########################


Write-Host "Step 1 : Let's define some variables and naming conventions`n" -ForegroundColor Cyan

Write-Host "Enter a 3 letter word abbreviation for your customer or project (example: tuc, vdc) : " -ForegroundColor Yellow -NoNewline
$Cus = Read-Host
Write-Host "Enter a 3 letter word abbreviation for your environment (example: hub, prd, tst, dev, acc) : " -ForegroundColor Yellow -NoNewline
$Env = Read-host
$FullLocation = "France Central"
$NamingConv = "st" + "lrs" + $Cus + "frc" + $Env + "file"
$SAFILE = $NamingConv
$RGDATA = $Cus + "-hub-storage-rg"
Write-Host "Enter a name for your fileshare (example: fileserver, profiles,..) : " -ForegroundColor Yellow -NoNewline
$FileShareName = Read-host
Write-Host "Enter a driveletter for your fileshare (example: F, G, P..) : " -ForegroundColor Yellow -NoNewline
$DriveLetter = Read-Host


########################
#
# Login with an Azure AD credential that has either storage account owner or contributer RBAC assignment
#
########################

Write-Host "Step 2 : Let's connect to our Azure Subscriptions" -ForegroundColor Cyan
Sleep 3
Connect-AzAccount

########################
#
# Select the Azure Subscription where your Storage Account is located
#
########################

$Subscriptions = Get-AzSubscription
Write-Host "Step 3 : These are your available subscriptions" -ForegroundColor Cyan
Write-host $Subscriptions.Name -ForegroundColor Cyan -BackgroundColor Black

Write-Host "`nEnter the subscription name : " -ForegroundColor Yellow -NoNewline
$SubscriptionName = Read-host
Select-AzSubscription -Subscription $SubscriptionName

########################
#
# Retrieve the Storage Account Details and Access Tokens
#
########################

Write-Host "Step 4 : We are now retrieving the storage account details and access tokens" -ForegroundColor Cyan

$storageAccount = Get-AzStorageAccount -ResourceGroupName $RGDATA -Name $SAFILE
$storageAccountKeys = Get-AzStorageAccountKey -ResourceGroupName $RGDATA -Name $SAFILE

########################
#
# Retrieve the FileShare Details
#
########################

Write-Host "Step 5 : We are now retrieving the file share details" -ForegroundColor Cyan


$fileShare = Get-AzStorageShare -Context $storageAccount.Context | Where-Object { 
    $_.Name -eq $fileShareName -and $_.IsSnapshot -eq $false
}

if ($fileShare -eq $null) {
    throw [System.Exception]::new("Azure file share not found")
}

########################
#
# Mount the Azure File Storage
#
########################

Write-Host "Step 6 : Your file share is being mounted" -ForegroundColor Cyan


$password = ConvertTo-SecureString -String $storageAccountKeys[0].Value -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential -ArgumentList "AZURE\$($storageAccount.StorageAccountName)", $password
New-PSDrive -Name $DriveLetter -PSProvider FileSystem -Root "\\$($fileShare.StorageUri.PrimaryUri.Host)\$($fileShare.Name)" -Credential $credential -Persist

Write-Host "Step 7 : Let's open up our file share in an explorer window" -ForegroundColor Cyan

$path = $DriveLetter + ":\" 
Invoke-Item $path

Write-Host "`nEnd of script" -ForegroundColor Cyan
Sleep 5

########################
#
# End of script
#
########################

6. Next Steps

Next steps could be defined as the following

Configure a private endpoint on the storage account to secure connectivity within your virtual networks
Setup Azure Filesync to start migrating your data
Create a new DFS namespace to allow easier translation of common names

Feel free to comment or provide additional insights on the scripts and documentation provided.

The post Moving your data to a serverless infrastructure with Azure Files and Active Directory Authentication (Preview) appeared first on Tunecom.

Azure AD Domain Services – SKU updates

admin.yannickd — Wed, 19 Feb 2020 15:43:22 +0000

What’s new in the world of Azure AADS SKU’s.

Recently (31/01/2020) Microsoft has made a couple of changes to the way that Azure AD Domain Services are being consumed and billed.

Previous version:

When deploying a new Azure AD Domain Services instance, you weren’t able to provide any type of SKU. The following tiered pricing was being applied to your AADS instance based on the amount of objects.

So if you started with a brand new instance of Azure AD Domain Services, you would end up with the standard tier. Generating about € 96.72 when calculated with 744 hours of uptime. Depending on the amount of objects, you would tier up to the Enterprise grade.

Tier based pricing previous AADS release

Current release:

As with the “new” release of AADS the tier based pricing hasn’t changed much.

Tier based pricing overview AADS

! But be aware, that if you are using the same deployment scripts as you did before, you will end up with an Enterprise SKU level of AADS by default.

! Note the additional option to create a resource forest, which what I believe was included in the previous pricing model, starting from a Standard SKU. To review the latest changes with regards to Azure AD Domain Services, be sure to check out the latest docs article.

Note the price difference

Standard Pricing Tier

Enterprise Pricing Tier

Discover your current SKU level with Azure Resource Graph

If you are an MSP managing multiple customers via Azure Lighthouse, you can use Azure Resource Graph Explorer.

Use the following query to identitfy in Enterprise SKU AADS instances.

where type == "microsoft.aad/domainservices"
 | where properties.sku == "Enterprise"

Azure Resource Graph – Enterprise AADS Query

If all is good, you should’t see any results.

Results Pane

Just to verify that your instances are on a Standard Tier. Run the following query.

where type == "microsoft.aad/domainservices"
 | where properties.sku == "Standard"

Azure Resource Graph – Standard AADS Query

You should now see the “Standard” SKU enabled AADS instances.

Results Pane

Discover your current SKU level in the Azure Portal

Navigate to your Azure AD Domain Services Instance and select SKU

Verify that you are running on a Standard Tier. If needed change to your required Tier based on the necessary requirements.

The post Azure AD Domain Services – SKU updates appeared first on Tunecom.