Azure Arc-enabled servers enables you to manage your Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud provider. This management experience is designed to be consistent with how you manage native Azure virtual machines. When a hybrid machine is connected to Azure, it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID enabling the machine to be included in a resource group. Now you can benefit from standard Azure constructs, such as Azure Policy and applying tags.
When running Azure Arc for some time and suddenly the response stopped you need to dig a bit deeper into the how things are working instead of just kicking off an MSI and the issue is still not fixed.
This is all test So it may look different in your site.just to say so.
Here I have my two servers managed by Arc
As you can see “Something went wrong while getting your resources. Please try again later.”
yes let me get more info about this as currently I know nothing about the error.
So It is all OK according to the Azure troubleshooter and still it doesn’t work
Let me click around and see if there is and error ( I could see the local event log of the server but that’s no fun Who uses this ? post some comments in the blog post) Eventlogs are extremely helpful on finding issues or hidden issue’s Often people for get to look at his and see the problem right there. and yes it needs to be fixed also.
Will that be the issue ? checking already running the latest version, so what is this error or did it go wrong when updating the agent, well I did skip patching for some time on these servers and upgraded these to Windows server 2022
Let me check the agent version, well the latest version for now..
How is this Azure arc be configured anyway, there is no console other than in azure and an MSI with an agent,
let me check the configuration of this and see if I can find something there.
C:\ProgramData\GuestConfig
Perfect lots of log files and a config let me check this all
time="2021-09-01T16:32:17+02:00" level=error msg="Could not acquire token from cert: FromAssertion(): http call(https://login.windows.net/-d391a79950b1/oauth2/v2.0/token)(POST) error: reply status code was 401:\n{\"error\":\"invalid_client\",\"error_description\":\"AADSTS700027: Client assertion contains an invalid signature. [Reason – The key used is expired., Thumbprint of key used by client: ‘C2FA453DD43C16E584868C1C762DC91EBEC63232’, Found key ‘Start=11/12/2019 15:45:00, End=02/10/2020 15:45:00’, Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘a16df9d0-f012-45ae-8a92-1d0ad72e045e’. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as ‘https://graph.microsoft.com/beta/applications/].\\r\\nTrace ID: 932-2ba8-4098-813e-05a2900\\r\\nCorrelation ID: 66a070fe-6ae4-4a25-ad3f-\\r\\nTimestamp: 2021-09-01 14:32:07Z\",\"error_codes\":[700027],\"timestamp\":\"2021-09-01 14:32:07Z\",\"trace_id\":\"932e7194-2ba8-4098-813e-343df05a2900\",\"correlation_id\":\"-4a25-ad3f-160f98c9fd9e\",\"error_uri\":\"https://login.windows.net/error?code=700027\"}"
Seeing the Config and also see the issue here — Client assertion contains an invalid signature. [Reason – The key used is expired–
As I did not update the agent the certificate got expired make sense.
But the device has already the new agent So reconnect ? but how ?
Looking at the Config I see all the details how the agent is been registered and the resource group etc
C:\ProgramData\AzureConnectedMachineAgent\Config
agentconfig.json
{"subscriptionId":"f34","resourceGroup":"AzureBackupRG_westeurope_1","resourceName":"Hyperv1201","tenantId":"0b1","location":"westus2","vmId":"9659193c-f4d8-4a77-b8f9baad507ce9a9","certificateThumbprint":"c2fa453dd43c16e584868c1c762dc91ebec63232","clientId":"0-f012-45ae-8a92-1045e"}
Let me open powershell and maybe I got more details. and reactivate the Agent
With the azcmagent command you can get more details.
let me get all the logs
azcmagent logs
now we have all the logs in a zip file this could be handy for a next time.
As I reconfigure the agent with the following command
& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "AzureBackupRG_westeurope_1" –tenant-id "your tenant id" –location "westus2" –subscription-id "errryh934" –verbose
With the reconnect we need to log in again and all goes well
But in the logging there is suddenly another error
When looking here I see there is an Azure Policy that demands a TAG and this is currently not available on the resource group So I Can’t onboard my Azure Arc server.
Thought this was about an Agent that has an expired Certificate.
Seems there is a Azure policy that is blocking as the hyperv1201 has no tags set the mvpdc02 has only a tag set.
After a quick change I rerun the command line and it worked perfectly and it showed up in the console again.
& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect –resource-group "MVPRSG-Azure-Arc" –tenant-id "3078684f-d143-440a-ae40-d391a79950b1" –location "West US 2" –subscription-id "df1e2f32-7adf-48f6-b969-f02376152934" –verbose
Starting client connection on: \\\\.\\pipe\\himds"
time="2021-09-01T17:12:53+02:00" level=debug msg="Awaiting status message from agent…"
time="2021-09-01T17:12:53+02:00" level=debug msg="Status Message received"
As I have a second machine with the same issue I removed the machine directly in the arc portal and rerun the registration as the agent was also already installed. (this would be the quick fix for this)
Perfect reconnecting and waiting for the Agent.
Now I can look at the Azure Arc Insights again.
Flickr Tags: Windows Server 2022,CloudOS
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Http://nl.linkedin.com/in/robertsmit
Like this:
Like Loading...
Windows Server 2022 is built on the strong foundation of Windows Server 2019 and brings many innovations on three key themes: security, Azure hybrid integration and management, and application platform. Also, Windows Server 2022 Datacenter: Azure Edition helps you use the benefits of cloud to keep your VMs up to date while minimizing downtime.
https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022?WT.mc_id=AZ-MVP-4025011
As some of my Domain controllers are running on Server 2016 this is a great moment to upgrade them,Upgrading a domain controller is always tricky when you loos you AD, well I got a copy in Azure 
How ever Windows Server 2016 is supporting Rolling Upgrades Upgrading to Windows Server 2022 but this is only for a Cluster.
For other Servers you can upgrade your server or better reinstall. Bet you all choose for the Clean install. Well For a domain controller, it’s a quick process to redeploy but often there is ton’s of software on the DC that should not be there and makes it hard to loos the DC right ?
So my DC server 2016
Finding the FSMO roles
netdom query fsmo
You can’t upgrade the server when there is a FSMO role running on the server. Tested this and if failed So move the FSMO roles from your DC.
Yes I hear you you have only one DC well create a virtual second one and move the fsmo roles to that server upgrade and move the roles back and demote the Extra DC and you are back to a single DC.
my other DC is mvpdc22
I move the roles to my second DC
Quick and Smooth migration
Move-ADDirectoryServerOperationMasterRole -Identity “Your-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator
I mounted the ISO to the DC (virtual CD disk)
YEs I want to make the product better.
Use your Product key or if you are on hyber-v you can use the AVMA key https://docs.microsoft.com/en-us/windows-server/get-started-19/vm-activation-19?WT.mc_id=AZ-MVP-4025011
The following AVMA keys can be used for Windows Server 2022:
Datacenter
W3GNR-8DDXR-2TFRP-H8P33-DV9BG
Standard
YDFWN-MJ9JR-3DYRK-FXXRW-78VHK
I still love my gui So I install the desktop experience
Read the entire EULA and I agree.
My domain Controller desktop (remember this is my lab) Don’t use your DC for any other things than using it for a DC.
I want to keep My files
Yes Install
Let the Setup running
So in just 20 min my DC was upgraded to 2022 lot’s of new stuff is there but that’s all for a next blog post. Hope it was usefull and remember make sure you have a backup things my fail in your environment
https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2022?WT.mc_id=AZ-MVP-4025011
Flickr Tags: Windows Server 2016,CloudOS
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Http://nl.linkedin.com/in/robertsmit
Like this:
Like Loading...
In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011
Azure Firewall pricing
https://azure.microsoft.com/en-us/pricing/details/azure-firewall?WT.mc_id=AZ-MVP-4025011
Azure Firewall Standard
- Stateful firewall as a service
- Built-in high availability with unrestricted cloud scalability
- Centralized network and application level connectivity policy
- Threat intelligence-based filtering
- Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways
Azure Firewall Premium (Public Preview)
- Built-in TLS Inspection for customer’s selected encrypted applications
- Ability to detect and block malicious traffic through advanced IDPS engine
- Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
- Web Categories provide enhanced content filtering capabilities
- IDPS signatures and Web categories are fully managed and constantly updated
Initial I setup a Azure Firewall premium
Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.
As you can see there is an option standard or premium and use the Firewall policy or the Classic. In premium there is no classic any more the only option is firewall policy.
Choosing the Premium and the option firewall management is gray out.
As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .
Keep in mind that the firewall must be in the same resource group as your vnet.
Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place
# Create the firewall
$Azfw = New-AzFirewall `
-Name $FirewallName `
-ResourceGroupName $rgNamevnet `
-Location $Location `
-VirtualNetworkName $VnetName `
-PublicIpName $pip01 `
-SkuTier Premium
Now that The Firewall I created We can see the policy’s attached in the Firewall manager.
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
Firewall Manager can provide security management for two network architecture types:
Secured virtual hub
An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.
Hub virtual network
This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.
Azure Firewall Premium Preview in the Azure portal | Microsoft Docs
So now that the firewall is in place and we already had an policy attached but you can change that real quick.
Go to the Firewall blade and her you can see the policy and change it directly
Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet
Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s
Looking at the firewall policys from here you can add them to a hub or a vnet
here you see an overview of the firewall policy’s
When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.
Adding the Policy to a network,
The firewall manager blade with all the rules and options
You can add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group
Also new is the application rules here you can set web category’s that are allowed or denied.
using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD
Setting up the web categories is easy selectable in the destination type. and then select one or multiple.
Remember the naming if you want to find this later in your rules, keep it clean and neat
Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that
Removing the Firewall does not mean that you will loose the policy’s or removing the policy and loose the firewall unless…
Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached
Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
Webinar – Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them
Microsoft 365 is an incredibly powerful software suite for businesses, but it is becoming increasingly targeted by people trying to steal your data. The good news is that there are plenty of ways admins can fight back and safeguard their Microsoft 365 infrastructure against attack.
This free upcoming webinar, on June 23 and produced by Hornetsecurity/Altaro, features two enterprise security experts from the leading security consultancy Treusec – Security Team Leader Fabio Viggiani and Principal Cyber Security Advisor Hasain Alshakarti. They will explain the 5 most critical vulnerabilities in your M365 environment and what you can do to mitigate the risks they pose. To help attendees fully understand the situation, a series of live demonstrations will be performed to reveal the threats and their solutions covering:
· O365 Credential Phishing
· Insufficient or Incorrectly Configured MFA Settings
· Malicious Application Registrations
· External Forwarding and Business Email Compromise Attacks
· Insecure AD Synchronization in Hybrid Environments
This is truly an unmissable event for all Microsoft 365 admins!
The webinar will be presented live twice on June 23 to enable as many people as possible to join the event live and ask questions directly to the expert panel of presenters. It will be presented at 2pm CEST/8am EDT/5am PDT and 7pm CEST/1pm EDT/10am PDT.
Don’t miss out – Save your seat now!
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
There are multiple ways on how to use a VPN and how to connect and use this. In this blog I use an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.
When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based authentication or RADIUS authentication. However, when you use the OpenVPN protocol, you can also use Azure Active Directory authentication.
I will use the open VPN with Azure Active Directory authentication. Remember this is only supported on Windows 10 as you will need the Azure VPN client from the microsoft store.
For giving the vpn application the proper permissions, you need to register the application to your Azure AD first.
below is the default URL that can be used to trigger the registration, use the proper rights to create an enterprise App in you Azure AD
https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
Sign in with the proper credentials
Using the wrong account will end up in
AADSTS50020: User account from identity provider ‘live.com’ does not exist in tenant ‘Microsoft’ and cannot access the application ‘4b4′(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
When Accepted the you will be redirected to the Azure portal.
In the Azure portal you can go to the Azure active directory and
Enterprise applications | All applications and search for Azure VPN
Now that the basics are in place, we can configure our Site to Site VPN profile the following information is needed.
Go to your Virtual Wan and select the user VPN configuration
Create User VPN ##### I noticed during the writing of this blog post the screens may differ as the portal changed the layout#######
- Configuration name – Enter the name you want to call your User VPN Configuration.
- Tunnel type – Select OpenVPN.
- Authentication method – Select Azure Active Directory.
- Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
- Issuer –
https://sts.windows.net/tenantID/
- AAD Tenant –
https://login.microsoftonline.com/TenantID
Select open VPN
go to the Azure Active Directory <> properties and grab the Tenant ID
Set the switch to yes and new fields will open.
#the number is your tenant ID
Now that the VPN user profile is created we can configure the HUB
Now that the user vpn profile is created we can create the P2S VPN. Select your hub
Select the user VPN point to site VPN select create
Creating a VPN gateway you need to select the just created User profile.
Select a proper IP subnet and if needed a DNS server for the workload into that network
Updating a hub can take 30 minutes or more.
Download User VPN profile as we need this on the Windows 10 client later.
Use the VPN profile to configure your clients.
- On the page for your Virtual WAN, click User VPN configurations.
- At the top of the page, click Download user VPN config.
- Once the file has finished creating, you can click the link to download it.
- Use the profile file to configure the VPN clients.
To download the Azure VPN client on your windows 10 test device.
Use this link to download the Azure VPN Client.
Open the VPN Client you can add a new VPN or import a Connection
For Importing the Connection we need the just downloaded zip file and extract this in the AzureVPN folder there is a XML that holds the vpn configuration.
If any thing goes wron with the import it is 99% your pbk file,
go to the following folder and delete the files – this will probably also remove your other vpn connections it you had any.
%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\admin\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState
Now that the Import worked and you are ready to connect to the VPN in Azure.
Use your Azure AD credentials or your FIDO2 key
Now we are fully connected to the Secure Virtual WAN in Azure
It can take some time to see your connection in the portal
Showing the above it all is easy to setup this but I already see the questions yes but I need to do this on 5000 Windows 10 devices.
Microsoft Endpoint Management is your best friend.
Deploy VPN with Microsoft Endpoint Management
We create a Custom Template and do not select the VPN option as this is not for uploading the XML
In our Custom settings we add the Following settings
- Name: Enter a name for the configuration.
- Description: Optional description.
- OMA-URI: ./User/Vendor/MSFT/VPNv2/demo01_hub-weu/azurevpnconfig.xml (this information can be found in the azurevpnconfig.xml file in the tag Name).
- Data type: String (XML file).
Now that this is done we can create some assign ments and test this on the pilot group
As you can see there are a few steps involved and are linked together
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
