Archiv der Kategorie: Microsoft

Configure Active Directory Auth for Azure files to use for Azure Fileshares and WVD

In the past I had a lot of talks about Azure File Sync, a lightwight solutions to sync servers from different locations and branches via Azure Files. One often questions was, it is possible to use Azure Files directly with the integrated Active Directory authentication – The great answer since a few days is Yes, this is possible.

Now you can use Azure Files with On-Prem Active Directory authentication as a fully replacement for Fileservers. No need for Azure Active Directory Domain Services (Azure AD ADDS) or different settings on Azure Files. This gives great new ways to using Azure Files for Fileshares and to use Azure Files directly for WVD and coming closer to a cloud native solution or to a fully replacement for On-Prem Fileserver.

In this article I will explain how to configure AD authentication for Azure Files and list information about region availability some basic steps and more. Please feel free to use the comment section or Twitter to get in touch with me and gives me feedback about the article and the solution.

General

Workflow to enable Azure AD authentication over SMB from Microsoft Docs

Region availability

Right now the service is in public preview and can use in a broad range of regions. The rollout for the biggest regions are running right now and the plan is to enable the feature in all available regions at the end of March.

The service is available right now in some of the following regions:

  • France Central
  • UK West
  • Germany West Central
  • West and North Europe

The service is not available in the following regions:

  • Not availabile in West US | West US 2
  • Not availabile in East US | East US 2

Requirements

There are some requirements to enable AD authentication for Azure Files:

  • Existing Active Directory Domain Service (ADDS)
  • Used identities must be synced via Azure AD Connect to Azure AD
  • Azure AD Tenant and the file share must be associate with the same subscription
  • VM must be joined in the existing AD
  • Use a supported region
  • Is only supported on machines newer then Windows 7 / WS2008R2 (EoL)
  • Azure Files PowerShell Modul
    • Needs Az module 2.0.0+ and Az.Storage 1.8.2-preview+
  • The Client must be domainjoined to use the module
    • The account must have permissions to create computer accounts or service accounts in the domain/OU

Keep in mind, it`s only possible to use one authentication provider for a Azure Fileshare – Azure AD Domain Services (Azure AD DS) or Active Directory (AD).

Recommendations

  • Use separate Storage Accounts for Azure Fileshare AD authentication
  • Create an own OU for Azure Fileshare AD authentication

For best practice it is useful to use separate Storage Accounts for Azure File AD authentication, because with activation the Fileshare will be a member of the the domain (this means in general the Storage Account join the domain).

Each Domain uses GPO to enable settings for each OU in the Domain. To avoid issues for Storage Accounts that will be member of the Domain, I recommend to create and use an separate OU for the Storage Accounts.

Preparation

To use Azure Files with integrated SMB authentication, there are additional Powershell modules needed. This module are available for download at Azure Samples GitHub Page. Please use the latest one.

Domain with separate OU for Azure fileshares

For a better management and separation, create a new OU for Storage Accounts.

Enable Azure Files for AD authentication

To enable Azure Files for AD authentication there are some steps needed.

  • Unzip the downloadad Zip Archiv AzFilesHybrid.zip
  • [Optional] Create an OU for the Storage Accounts
  • Create a (separate) Storage Account in Azure
  • Create a Azure file share in the Storage Account
  • Start a evalated PowerShell Session with rights to create computer and service accounts in the domain on a domain member client
  • Run the following powershell commands
    • green = optional
    • red = important
#Change the execution policy to unblock importing AzFilesHybrid.psm1 module 
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser
#Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path .\CopyToPSPath.ps1
#Import AzFilesHybrid module
Import-Module -name AzFilesHybrid
#Login with an Azure AD credential that has either storage account owner or contributer RBAC assignment
Connect-AzAccount
#Select the target subscription for the current session Select-AzSubscription -SubscriptionId "<your-subscription-id-here>"
#Register the target storage account with your active directory environment under the target OU
join-AzStorageAccountForAuth -ResourceGroupName "<resource-group-name-here>" -Name "<storage-account-name-here>" -DomainAccountType "<ServiceLogonAccount|ComputerAccount>" -OrganizationUnitName "<ou-name-here>"

Here are an short code example:

join-AzStorageAccountForAuth -ResourceGroupName "Storage_rg" -Name "azfilesadauthsa" -DomainAccountType "ComputerAccount" -OrganizationalUnitName "AzFileShares"
Azure storage account join the domain

When using the correct permissions the storage account will join the domain as an Computerobject|Serviceobject and the following message will shown.

Domain OU shows an Azure storace account as computer object

Keep an eye on the OU that are indicated for joining and the result will be a new computer object with the name of the storage account.

With this steps the feature for AD authentication for Azure fileshares are enabled.

Now it´s useful to define the initial permissions from the Azure AD portal. This is explained in the article Why Azure AD RBAC roles are needed for Active Directory File share authentication.

Links

Azure HA – VM SLA Level Compare to Availability Sets and Availability Zones – Latency is the key

In the past I do a lot of Azure Governance workshops. One part of this workshops are the high availabilty options in Azure. This article descripe the different SLAs for VM workloads in Azure. Often I get an ask about the SLA level and the requirements. In this discussion many people are confused about the difference of Availability Set and Availability Zone and how this compares to the SLA. The new feature about the Proximitiy Placement Groups comes into play to make the confusing complete. This article descripes the differences between these features.

Azure HA – VM SLA Level Compare to Availability Sets and Availability Zones – Latency is the key weiterlesen

Bye Bye Windows Server 2008R2 It was a good time – Get Extended Support and think about a change

Today Windows Server 2008 (R2) / Windows 7 reaches her End of Live (14.01.20) date and doesn`t receive Security updates anymore.

I think it was a great time with Windows Server 2008. WS2008 launched Hyper-V, one of the most powerful hypervisor on the market and the foundation of today’s Azure infrastructure. With WS2008, the first version of the Server Manager, the pre-release version of Windows Admin Center, was released.

In this article, I will list some of your options to get extended support for available Windows Server 2008 (R2) – but I prefer to discuss new solutions to replace the outdated infrastructure. Use this date to consider a change to move your infrastructure to the same flexible and scalable environment you had when Windows Server 2008 was introduced.

I know the time is to short to demote the existing Windows Server 2008 R2 and migrate the workloads to a newer operating system. But now it’s time to modernize your landscape. See which solutions Microsoft offer to extend the time or to renew the infrastructure.

Bye Bye Windows Server 2008R2 It was a good time – Get Extended Support and think about a change weiterlesen

Azure Bastion – Secure Access Azure VMs via SSH/RDP without Public IP or Jumphosts

Azure Bastion is a new service to reaches Azure VMs in a secure way without needing a Jump host in the same VNET or to publish an Public IP for a VM.

Azure Bastion is in public preview since end of June 2019. Now the service is General Available (since Microsoft Ignite 2019) and many limitations are gone. This article will short introduce the service, the new features and how easy is it to enroll the service in the environment to reach Azure VMs (Windows or Linux) over a secure way.

Azure Bastion architecture from MS docs
Azure Bastion architecture from MS docs
Azure Bastion – Secure Access Azure VMs via SSH/RDP without Public IP or Jumphosts weiterlesen

Rückblick 2019 + Ausblick 2020

Das Jahr 2019 neigt sich dem Ende und damit ein ereignisreiches, vielfältiges und spannendes Jahrzehnt. Viele von uns genießen die Weihnachtsferien im Kreise der Familie und bereiten bereits die Silversterparty vor. 2019 war schon ein tolles und vielseitiges Jahr und das sowohl aus beruflicher und privater Sicht. In diesem Artikel möchte ich einen kleinen Rückblick auf 2019 geben und gleichzeitig einen Ausblick auf 2020 wagen 😉

Persönliches

MVP Summit 2019 Logo Foto
MVP Summit 2019 Logo Foto

2019 war aus persönlicher Sicht ein spannendes Jahr. Im März durfte ich zum ersten Mal am Microsoft MVP Summit in Redmond teilnehmen. Es war ein unvergessliches Erlebnis, so viele Menschen mit der gleichen Leidenschaft zu treffen und kennen zulernen. Viel Austausch und Fachsimpeln. Eine Menge tolle Erlebnisse mit Community Kollegen gehabt, die im Laufe der Zeit zu Freunden wurden. Ich könnte hier so einige aufzählen, aber ich denke die meisten wissen sicherlich wenn ich meine 🙂

Rückblick 2019 + Ausblick 2020 weiterlesen

Azure Advent Calendar Session about Azure Bastion

Azure Advent Calender Azure Bastion session
Azure Advent Calender Azure Bastion session

Hi folks, we are in the end of the year and many advent calendars are running right now. One great idea came from Robert and Gregor, they founded the Azure Advent Calendar. A calendar with Azure session about different services. Every day will be released 3 sessions to different topics in Azure. There are many contents available now. So thanks Robert and Gregor for this great initiative.

I´m happy to contribute with a session about Azure Bastion. A secure way to access your Azure VMs without need for a Jump host or to bind a public IP-Address to a server.

Azure Advent Calendar Session about Azure Bastion weiterlesen

Azure Saturday Cologne 2019 – Azure Bastion Slides

Gestern fand der erste Azure Saturday in Köln statt. Organisiert wurde dieser von Jennifer, Raphael und Martin und es war ein gelungener Auftakt. Eine tolle Orga und eine absolut hervoragende Location bei der Gothar sorgten für einen gelungene Veranstaltung. Dazu noch viele verschiedene Speaker und eine große Themenbandbreite, die für viel Austausch und Networking sorgten.

Am Nachmittag durfte ich mit zwei Sessions selbst einen kleinen Teil zum Azure Saturday Cologne beitragen.

Azure Saturday Cologne 2019 – Azure Bastion Slides weiterlesen

MSIgnite 2019 Azure News and Announcements Part 2

There are many new features and enhancements announced for Azure from the last Microsoft Ignite. I have written about many of them in the 1st part of this Article. This article will focus of the missed announcement in the first article.

Keep in mind our Meetup appointments in the next week in Thueringen and Cologne/Bonn.

MSIgnite 2019 Azure News and Announcements Part 2 weiterlesen

MSIgnite 2019 Azure News and Announcements Part 1

The Microsoft Ignite is running since Monday and in this blog post I will give you a short overview about the new announcement in the range of Azure services.

To each service you have a headline link to additional information on the Microsoft Azure blog article or the update site. Did you have any questions about this announcements, please do not hesitate to contact me.

Don´t miss our MsIgnite Azure Recap Meetups in Thueringen and Bonn. Information about the Meetups at the end of the article.

MSIgnite 2019 Azure News and Announcements Part 1 weiterlesen

Erweitern Vorhandener Azure Fileshares auf 100TB für AzureFileSync

Im Vorfeld zur Ignite wurde vor ein paar Tagen eine kleine Überraschung im Azure Blog angekündigt: Announcing the general availability of larger, more powerful standard file shares for Azure Files. Bedeutet das für alle jetzigen Azure Fileshares im Standard Tier die neuen Performancewerte ausgerollt werden. Damit fällt auch die bisherige Limitierung von 5TB für Azure Fileshares und damit verbunden für Azure File Sync. Die neuen Performancewerte sehen folgendermaßen aus:

  • IOPS: 10.000 (vorher 1000)
  • Durchsatz: 300MB/sec (vorher 60MB/sec)
  • Fileshare Größe: 100TB (vorher 5TB)

Bisher waren Azure Fileshares auf 5TB limitiert. Die Freigabe wird als Speicherort der Azure File Sync Dateien genutzt – daher galt hier das gleiche Limit. Doch diese Herausforderung ist gelöst und vorhandene Fileshares lassen sich über das Azure Portal auf die neue Größe erweitern. Dieser Artikel zeigt kurz die notwendigen Schritte.

Erweitern Vorhandener Azure Fileshares auf 100TB für AzureFileSync weiterlesen