In the last few days I have created some Azure Landingzones. To secure access to Azure resources within the landing zone with different users, customers use a P2S connection through the Azure VPN Gateway using Azure AD for authentication.
Sometimes I see some mistakes in the Azure VPN Point-to-site configuration blade that results in the Error: “Server did not respond properly to vpn control packets” when trying to connect to the VPN Gateway over the Azure VPN Client.
These error messages are often due to incorrect settings in the basic settings. To resolve this issue it is really important to configure the three points: Tenant & Audience & Issuer correctly.
Please pay close attention to the following settings:
The Tenant field must be specified in the following notation “https://login.microsoftonline.com/your-Azuread-Tenant-ID-here/” at the end do not miss the backslash /
Audience field must be only contains the Enterprise Application ID of the Azure VPN client (this is the same for all Tenants) “41b23e61-6c1e-4545-b367-cd054e0ed4b4” without any other characters or spaces
The Issuer field must be specified in the following notation “https://sts.windows.net/your-Azuread-Tenant-ID-here/” at the end do not miss the backslash /
Please be aware of the difference between the Tenant- (begins with https://login….) and Issuer field (begins with https://sts.win…).
Please contact me if you have any questions or if you find further errors and solutions 🙂
Our 1st IdentitySummit is over and we had a amazing Summit with our powerfull Speakers and our attendees.
We (Azure Bonn Orga Team) started planning the Summit in March 2020. The Orga Team from the AzureBonn Meetup consists of Melanie Eibl, Thomas Naunheim and René de la Motte. The idea came from Thomas (our Identity Expert) and we can say that was a wonderful idea.
We meet together at the Debeka Innovation Center (DICE) in Koblenz to organize and streaming all the sessions from one central place. The current Corona situation has unfortunately not made a complete live event possible, so we have met under the rules in force to ensure a smooth process and bring a little live feeling.
Now after 6 session in 2 parallel Tracks we can say it was worth every minute of planning – Why?
The answer is simple: First of all because of our great speakers. Each session was planned with a minimum of 300, and each session went deep into the relevant topics, showing what needs to be considered, the pitfalls and best practices available.
The Microsoft Ignite 2020 has moved to a free, virtual conference with a lots of online sessions about the Microsoft Product world like Azure, Microsoft 365 and more. As every year Microsoft announced new services and new features for existing services. In this blog post I will report about my highlights of the last 48 hours of Microsoft Ignite.
First of all, I’m a little sad because this was to be my first Microsoft Ignite I was able to attend in person. However, I’m glad that Microsoft offers this conference as a virtual version and gives us the opportunity to participate for free and get in contact with the product owners.
Satya Nadella opened the MS Ignite with his Keynote about Challenging Times, Producivity and Modern Work and how Microsoft services can help in every section with different services.
My focus area is Azure, you know it 🙂 And there were a lot of new announcements before and during the Ignite.
This article will be updated after the MS Ignite ends.
Short note, I am pleased to announce that I support some Microsoft Ignite sessions as an ATE (Ask the Experts). Which this means? I support the Product Team in the Live sessions with answer additional questions. There are many possibilities to get in touch with the Microsoft Product owner of each service, so view the Session scheduler and join relevant sessions to ask the Product owner about services, features, possibilities and more.
These times are challenging and I hope everyone is safe and healthy. Normally we have a lot of in person community conference, but actually we move a lot of this community meetings to online meetings. The good thing is we have more time for our family and need lees time for driving and so on.
In the 2nd half of 2020 I have the honor to speak at the following events:
And finally the virtual Cloud Identity Summit 2020. This is our first event and we will focus only on Cloud Identity topics. This idea came up from Thomas Naunheim and we are really happy to realize this conference. The first speakers with great topics are announced and there coming more. Did you interested in how to secure your Cloud Identitys – this conference is a must see.
In the past I do a lot of Azure Governance workshop and one interesting topic is how to handle the Break Glass Account. Before we going deeper, first we take a look was is the Break Glass Account. For each Administrator role in Azure or Office365 is it best practice to use MFA to secure the account and get a better security for the Tenant. To realize this, normally we use Conditional Access and create a rule, that every Admin require MFA for login. But what can we do, when:
the MFA service is down
we create a Conditinal Access that with a wrong rule set and lost sign-in access
we do not regulary update our control list and the admin account goes lost
For this cases we need a Break glass account, an additional account with a high security password, to enter the Tenant in an emergeny case. For this account, there are some recommendations:
only use a generic account
create a complex password with more than 16 characters
for compliance reason divide the password into two parts
save each part in a different location
create a security group that contains the break glass accounts
create two break glass accounts with no standard username like breakglass@ or emergency
use the Tenant name for the account
do not use a custom domain name
in futher it will be possible to use FIDO2 security key for break glass (right now is in preview and not recommended for such critical scenario)
Now we can discuss in some ways a security gap – a service account with Global admin rights that do not require MFA for login. Now you see, why it is so important to monitor this accounts and get notified when they will be used for login.
In the last couple of days I get a lot of question how to move Azure VMs between regions. So I decided to write a blog post about this question. First of all it is really important to understand which topics this article covers and which not.
To understand the article right, keep the follow settings in mind:
This article will cover how to move Azure VMs between global regions with ASR
Global regions mean all the standard available regions
This article doesn´t cover the movement between Azure Global and Azure Germany, Azure Governance or China
For moving Azure VMs from Azure Germany to Azure Global there there is planned to write an additional article
For a general movement of Azure resources (SQL databases, Web Apps and more) a futher post will follow
This article focuses on how to move Azure VMs between Azure global regions using Azure Site Recovery (ASR). Another article will focus on how to move other Azure resources between regions.
To move Azure VMs between different global regions with ASR there are some requirements needed:
Azure subscriptions are allowed to create Azure VMs in the target regions
User rights to create the Azure ressources (Azure VMs, VNETs, NICs, etc.)
Install latest updates on Windows/Linux OS
Check that the VM has Internet access without Proxy or Firewall between VM and Internet
Configure the VNET and Subnet in the target destination before move the VM to a different region
The process to move Azure VMs between different Global regions is straight forward. But don´t forget, all related management tasks to the VM, like Backup, Log analytics Workspace, Start Stop Runbooks will be lost after the migration.
In one of the last blog article on the old Microsoft Community Learning site was announced the new Azure exams Az-303 and Az-304 as beta. Why the last blog article, because they move the blog and all related content to a new page at TechCommunity.
Yesterday was beginning of the new fiscal year for Microsoft and the renewal day for all MVPs from the last year. I´m very happy to announce that I received my 2nd MVP award in the category Microsoft Azure 🙂
I feel so honored to have received my 2nd award and now I am really sure that the first time was no mistake. It is a honor to work for the community, to discuss and learn from and with the community. I hope to share additional good things and hints in the next year for Microsoft Azure. Please feel free to reach for questions or ideas to some Azure topics. Hope to see you soon in person.
I would like to thank my wife Jessica for her great support, my best buddies Eric, Marcel and Thomas for their constant support. And finally, thanks the community and Microsoft for this great award.
I reveived a cool mail some days ago with an information, that I had passed successful the new Azure Administrator Exam Az-104 and get the renewal of the Microsoft Certified: Azure Administrator Associate.
Two years ago Microsoft released the first new Rolebased exams with the Az-100/Az-101. I´ve passed both exams, but the exams are only valid for two years after passing. With the new Az-104 I got a renewal of the title for the next two years.
The Az-104 certification is a further development of the Az-103, as it will be discontinued at the end of July. To see the necessary skills and the differences to the Az-103, please have a look at the document “Az-104 Skills measured“.
Preparation and study guides
In preparation, all I can say is practice, practice, practice. Create different Azure Services, manage and administer them and interact with them. This helps a lot to understand the individual service and the different functions.