Migrate onpremise SQL DB to the Azure SQL Database

Azure dataplatform also provides Azure SQL database as a relational database as a service PAAS which is fully managed by Microsoft.This helps the developers to build their apps very quickly and removes the overhead of database administration.

There are few methods to migrate an on premise SQL database to Azure SQL Database and in this article we will have a look at migrating them with two options.

1) Using BACPAC export and import.

2) Data Migration Assistant.

Using BACPAC export and import:

With BACPAC export and import firstly we need to export the SQL database from the on premise SQL instance as a data tier application.

To export – Open SQL Management Studio – Right Click on the desired database and click on tasks – select export data tier application.

Now we need to save them in bacpac format.

The exported bacpac file will be successful.

Now this bacpac file needs to be imported to the Azure SQL database. Now we need to connect to the Azure SQL database to from SQL Management Studio.

Once after it is connected right click on the database folder and select import data tier application.

Select the exported bacpac file from the local disk and select the new database name that needs to be mentioned. Here we need to choose the Edition of Microsoft Azure , size of the database and the service type for this database in Microsoft Azure.

Having selected the required option select import and the import operation will start.

After a successful import we can see the status to be green and result successful.

Now we can see the migrated database in the Azure SQL database which have been successfully imported. Now we need to provide the username and the connection strings to the application owner to access their data which is present on the Azure SQL database.

Data Migration Assistant:

We can use the SQL migration assistant with source and target end points and migrate the data to SQL PAAS Azure easily.

Below are the readiness to be prepared for migrating the SQL data from on premise to Azure :

  • Download and install SQL data migration assistant.
  • We need to enable TCPIP on source.
  • Port 1433 must be accessible.
  • SQL browser service must be started.
  • Enable SQL remote connection must be enabled.

Once the Data Migration Assistant is installed open  and click on new

Here we have two options assessment or migration. Assessment helps us to identify the readiness required for this migration and will let us know if any connection or prerequisites missing. Here we can click on assessment.

Now we can select the authentication type and click on next

Select the desired DB’s that needs to be migrated to Azure.

Now we have the option to click on start assessment

 

  Check the assessment report once it is completed.  

To Migrate – rerun the agent and choose the option migrate and specify the source server details.

Once after its authenticated successfully now we have an option to choose the database that needs to be migrated.   

Now we need to specify the target Azure SQL PAAS Db details and the credentials.

Once after its been authenticated successfully , we can see the schema objects from the source database which we would like to migrate to Azure SQL database.

For the schema to migrate successfully we need to deploy the schema which will help us to migrate the schema initially.

Later once the schema is populated successfully now we have an option to migrate the data.Click on migrate data.

Choose the list of tables that needs to be migrated.

Once the table have initiated the migration  we can see the progress.

On a successful migration we get the below message.

The result of the online migration is that the data is successfully migrated to the cloud.

Thanks & Regards

Sathish Veerapandian

Microsoft Azure – Copy VHDs, between storage accounts in managed and unmanaged disks

The most common tasks that we might be receiving in Azure is to copy the blobs between the storage accounts. This article outlines the steps involved in copying the VHDs between managed and unmanaged disks

Copying the VHDs from unmanaged disks to a new storage account is pretty simple and we have two options copying via AzCopy or use Storage explorer

Option 1: Using Az Copy

Step 1: Get the VHD URL – 

Navigate to storage account – Choose the Associated VM SG account – Click on Blobs – Select the container name – Choose Properties – Copy the URL 

Step 2 : Copy the access key of the source storage account.

Step 3: Download and install the AZ copy 

Step 3:  Follow Step 1 & 2 and get the URL and access key details  of the target storage account.

Now we need to open command prompt and run the below command replacing the required entries that we have taken from the respective storage accounts

.\AzCopy.exe /Source:https://StorageAccountSource.blob.core.windows.net/vhds /Dest:https://StorageAccountDestination.blob.core.windows.net/vhds /SourceKey:”keyXXX”  /DestKey:”DestinationKeyXX” /SyncCopy /s

We will see the copy progress once after the command have been initiated

Once the task is completed we get the below message

And can see the file successfully copied to the target storage container location

Option 2: Using storage explorer (preview)

Using storage explorer is pretty much simpler task

Open storage explorer – click on the subscription – expand the blob containers of the source VHD – Select the VHD – and click on copy




Now navigate to the destination blob container and paste the copied vhd file.

Copy from Managed disks:

Copying the data from the managed disks is much easier using Azcopy or power shell script. There are lot available in the GitHub and have used this one was taken from GitHub

All we need to provide subscription ID, Resource group name , disk name , target storage account name , storage container , storage account key and destination VHD file name.

#Provide the subscription Id of the subscription where managed disk is created
$subscriptionId = "provide subscriptionID"

#Provide the name of your resource group where managed is created
$resourceGroupName ="Provide RG name"

#Provide the managed disk name 
$diskName = "provide disk name"

#Provide Shared Access Signature (SAS) expiry duration in seconds e.g. 3600.
#Know more about SAS here: https://docs.microsoft.com/en-us/Az.Storage/storage-dotnet-shared-access-signature-part-1
$sasExpiryDuration = "3600"

#Provide storage account name where you want to copy the underlying VHD of the managed disk. 
$storageAccountName = "provide SG account name"

#Name of the storage container where the downloaded VHD will be stored
$storageContainerName = "provide storage container name"

#Provide the key of the storage account where you want to copy the VHD of the managed disk. 
$storageAccountKey = 'provide storage account key'

#Provide the name of the destination VHD file to which the VHD of the managed disk will be copied.
$destinationVHDFileName = "provide destination VHD file"

#Set the value to 1 to use AzCopy tool to download the data. This is the recommended option for faster copy.
#Download AzCopy v10 from the link here: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10
#Ensure that AzCopy is downloaded in the same folder as this file
#If you set the value to 0 then Start-AzStorageBlobCopy will be used. Azure storage will asynchronously copy the data. 
$useAzCopy = 1

# Set the context to the subscription Id where managed disk is created
Select-AzureRMSubscription -SubscriptionId $SubscriptionId

#Generate the SAS for the managed disk 
$sas = Grant-AzureRmDiskAccess -ResourceGroupName $ResourceGroupName -DiskName $diskName -DurationInSecond $sasExpiryDuration -Access Read 

#Create the context of the storage account where the underlying VHD of the managed disk will be copied
$destinationContext = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey

#Copy the VHD of the managed disk to the storage account
if($useAzCopy -eq 1)
{
    $containerSASURI = New-AzureStorageContainerSASToken -Context $destinationContext -ExpiryTime(get-date).AddSeconds($sasExpiryDuration) -FullUri -Name $storageContainerName -Permission rw
    .\azcopy copy $sas.AccessSAS $containerSASURI

}else{

    Start-AzureStorageBlobCopy -AbsoluteUri $sas.AccessSAS -DestContainer $storageContainerName -DestContext $destinationContext -DestBlob $destinationVHDFileName
}

Disk name of managed VM can be taken from the disks section tab in the managed VM

Once the script started running we could see the SAS URL being generated through the commandlet Grant-AzureRMDiskaccess and we have an option to download them directly from this URL.

With all the details we run the script from Azcopy or powershell and it will copy the VMs successfully to the destination storage account.

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Side load 3rd party & custom built apps in Microsoft Teams pane

With all the more new improvements in Microsoft Teams,we have more alternatives to modify the end user client choices from the application perspective to get access to the most frequently used applications from Microsoft Teams.

The Custom built in-house applications can be effectively side-stacked in Microsoft Teams which makes the end users to adequately use these applications.

To start utilizing these options login to Office 365 admin portal and verify if the teams side loading options are migrated to Teams admin portal.

Once logged in navigate to settings – services & addins – search for Microsoft Teams – And see if external apps in turned on.

In below case in this tenant these configurations have been migrated to Microsoft Teams admin portal and hence these settings are greyed out. This will be the case for almost every office 365 tenants.

Now we have got app permission policies in Microsoft Teams.

App permissions policies control what applications we need to make accessible to Teams clients in our organization. Now we have got the better flexibility to customize the default policy or create custom policy and assign to only targeted users. The better option is to create a custom policy and assign them to targeted users.

Login to Microsoft Teams Admin portal – Select Teams Apps – and choose permission polices – Click Permission policies – Click Add

Here we have the flexibility to control Microsoft Apps, Third party Apps and Self developed custom inbuilt tenant apps which are published in Microsoft Teams as an App Package.

Once the required applications are selected the created application is ready to be assigned to individual users.

We can create app setup policies which decides the way we want to display the prepinned apps in Microsoft Teams pane.

To create custom one navigate to setup policies and click on Add

We do have further customization of the default apps or remove them and add more custom applications.

In the policy there is option to select the appropriate app permission policies which makes the default policy not affected and apply only for targeted users.

Assigning the App Permission policies and Setup Policies to end users.

Having the policy created now it is easier to assign the custom policy to targeted users.

Navigate to users tab – select policies tab – Now we have option to assign custom app permission and app setup policy.

End user Experience –

Once the policy is assigned we have the custom apps side-loaded in Microsoft Teams.

With these above options Application arrangement strategies can be improved and modified dependent on the business prerequisites, integrated with Microsoft Teams and rolled out to the end users.

Thanks & Regards

Sathish Veerapandian

Overview of DNS services in Microsoft Azure

Like different DNS hosting suppliers, we have DNS facilitating choice both private and public in Microsoft Azure.We have Azure Provided DNS, Bring your own DNS and use Azure private DNS which is in review starting at now.

Azure Provided DNS: (Azure-provided name resolution)

With Azure provided DNS the deployment is a lot simpler, and no complex setup is required from our side.They come up with highly available model and they can be used with in conjunction with our DNS. There are few caveats in this model which is the DNS suffix can’t be changed since they are auto created and given from Azure. DNS Query Traffic is throttled for each VM’s which might need to be taken into consideration for intensive web applications. Thus Wins and Net Bios are likewise not Supported. At last, manual registration of DNS records isn’t supported.

To create Azure DNS – Login to Azure Portal – Search for DNS – Select DNS Zones- Click on create DNS Zone.

Key in the requested details and create

Once created we can see the name servers which are from Azure.So these Azure name servers are responsible to answer DNS queries for the hosted domain from the users on the internet.

Now we have the option to add the record sets and once these records sets are created they will be available public.

To create DNS name from the Powershell we can use the below command
New-AzDNsZone -Name ezcloudinfo.com -ResourceGroupName Network-NG

To create a DNS Record Set we can use the below parameter

New-AzDnsRecordSet -Name www -RecordType A

Bring Your Own DNS:

Bring your own DNS is regularly utilized in hybrid connectivity scenarios which is connecting Azure assets to on-premise DNS system and connecting Azure to various DNS Networks. This is generally required in situations where our Azure cloud VM’s requires reverse lookup of on-premise internal IP’s or authentication is required in domain controller for applications running on VM in Azure.

The most crucial thing is that when we are implementing the bring your own DNS on Azure we need to turn of DNS Scavenging which will help us to prevent the accidental deletion of DNS records. Also, we need to enable DNS recursion and ensure port 53 is accessible from all the clients.

One crucial point to consider is that we must never specify our own DNS settings within the VM itself because the system is unaware of the settings for DNS. Instead there is configuration options within the virtual network settings which are at VNET level and will be applied to all resources in the network.

We need to register each VM in provided DNS service or configure the DNS servce to accept Dynamic DNS Queries.

We can configure the custom DNS as below from the Azure Portal.

Navigate to Azure Portal – Select the virtual networks that needs to use our own DNS – We will see the default Azure provided DNS.

In-order to use our DNS select Custom and key in the DNS details on the required VNET.

The same steps is applicable for the individual VMs and in those cases we need to enter the DNS servers in the VM network interface.

And change the DNS servers to our custom DNS.

The private DNS can be configured at the VNET , Network Interface level and not at the subnet level. So we need to configure these settings on each VM’s network interface.

Azure private DNS (Preview):

Presently Azure DNS likewise underpins Private DNS areas which is in review starting at now. This is a promising component to give DNS between private virtual networks.

With these private DNS Zones we can utilize our very own custom DNS names without the complexity nature of overseeing and keeping up our own DNS servers.

As of now the name resolution is supported up to ten virtual networks.If we need to resolve the VM names from multiple virtual networks the VMs in any other networks must be registered with the service manuallyAs of now the name resolution is supported up to ten virtual networks. As the name indicates these zones are not exposed to the internet and will be communicating only within the inter linked virtual networks.

The procedure is similar like what we see on Azure DNS – Navigate to Azure portal – select private dns zones.

Once created we will see them to be a private DNS.

We have the options to create records sets which will be communicating between these interlinked Vnets.

Since this Azure private DNS is in review mode without Service Level Agreement it is prescribed not to move this out on production environments . Its better to play around and investigate the utilized cases which will help when it is rolled out live on production environments.

Additional Info:

IP address 168.63.129.16 is a virtual public IP address that is used to facilitate a communication channel to Azure platform. The public IP address 168.63.129.16 is used in all regions and all national clouds. This special public IP address is owned by Microsoft and will not change and offers below features.
1) Enables the VM Agent to communicate with the Azure platform.
2) Enables communication with the DNS virtual server to provide filtered name resolution.
3) Enables health probes from Azure load balancer.
4) Enables the VM to obtain a dynamic IP address from the DHCP service in Azure.

5) Azure DNS also supports importing and exporting zone files by using the az network zone import and export command lets. Importing zone files will create a new zone in the Azure DNS if they are new record sets or they are merged with existing if there is a zone already present with this name in the azure DNS.

Thanks & Regards

Sathish Veerapandian

SharePoint Online – Enable External collaboration through B2B extranet Sites

On every business operations its crucial to sanction external partners,vendors to collaborate on their quotidian operations. Withal there are cases wherein only business to business collaboration like sharing between two organization is required and remains a vital factor to their business.

To felicitate a classical external collaboration site it was always bit challenging for administrators from SharePoint on premise workloads. Extensive orchestrating is required in terms of provisioning hardware or VM resource, security hardening and getting the access on the firewalls etc..,

With Office 365 B2B there are much more easier ways to roll out this feature to business with no additional server provisioning, no certificate requirement and simple administration. This magnificently reduces the traditional deployment costs. By default we get secure sharing, seamless collaboration and we have much detailed governance and audit reporting.

This article contours the steps involved in planning for an external business sharing in SharePoint online.

Configure External Authentication for Guest Users:

As an initial prerequisite we need to plan for the authentication and management through Azure AD for all the guest users.

At this moment we have the authentication via one-time pass code which will be sent to their email address for the non Microsoft accounts.Enabling one-time passcode feature can be used when external sharing of files,folders,document libraries and sites is done. Currently the one-time passcode is under preview and subsequently will replace the AD-Hoc sharing from onedrive and sharepoint in office 365.

Below are the major key points of enabling the azure B2B:

  1. MFA can be enabled for the B2B Invited Guest Users.
  2. If we have configured Google federation in our Azure AD tenant then the federated users can consume the permissible SharePoint and one drive resources shared with them.
  3. Much granular level of sharing options are present and subject to organization settings.

Follow the below steps to enable the pass code authentication:

login to azure portal – navigate to azure active directory – choose organizational relationship settings – Enable the option Enable Email one-Time Pass code for guests.

There are few other options on controlling the guest users permissions and can be added based on the requirement.

Now we have the one time pass code enabled we would need to enable the integration for SharePoint and one-drive with azure AD to enable this service on these workloads with the below two commands.

Set-SPOTenant -EnableAzureADB2BIntegration $true

Set-SPOTenant -SyncAadB2BManagementPolicy $true

Ensure that the below configuration is set

Having the authentication part configured now we would need to create an extranet site in few clicks.

1) Create an external business-sharing site in SharePoint Online (This site can be used for sharing between the Tenants)

On the Active sites page of the new SharePoint admin center, select Create – – select Other options —

Select More templates

Choose Team site (classic experience).

Here we need to provide a title and name for the site that we are creating.

There are few other options like timezone, admin, storage quota and server resource quota which can be configured based on our requirement.

Now the sharing capability needs to be enabled and there are 2 places where it can be controlled organizational level and site level.

The first step is to enable them at the organizational level

Login to office 365 portal – search for external

Choose the option new and existing guests

There are few other options which can be controlled from the SharePoint admin center

We can further restrict the site collaboration only to few selected domains.

The guest permissions must also be selected based on our business requirement .

Choose the first option which is applicable for the invited guest users. There are other options to limit the sharing option to least permissible users via targeting them to a security group.

Finally navigate to the sites and here we have option to further control the site permissions.

Here we have the option to share new and existing guests.

Now we have configured the org level settings we can test this behavior from site admin side

Navigate to the site with site admin privilege and create a folder with sharing partner.

While sharing a document to the external partner we will be notified with the message info as we see below.

The guest user will receive the invitation email with a link to access the folder.

They need to Enter their Microsoft credentials (the credentials for the account that the invitation was sent to). And User will be challenged for Verification code which will be sent to their email account.

This cool feature helps the admin to accomplish the business requirement with ease of operation , no additional resource cost and providing them with much controlled and tracking them through auditing and reporting of external users.

Microsoft Teams – Manage External and Guest Access communication for users

Microsoft Teams becoming an unrivaled communication platform its been adopted by most of the corporate organizations right from small, medium and large scale businesses.

Teams adoption rate have been thriving a lot and there are organizations managing their daily operations and projects completely via better organized Teams and channels.

In this article we will have an overview and the options available to expose Microsoft Teams for communication to the external network and other office 365 organizations.

As an initial prerequisite we must ensure that all the Office 365 URL and IP Ranges are allowed.

Login to Microsoft Teams Admin center portal here we have 2 options.

  1. External Access
  2. Guest Access

For external access the screenshot is pretty much explanatory. The best way is to add only the allowed domains which would block the other external organizations.

We do have an option to toggle the second feature where the Skype for Business online users have the ability to communicate with the Skype Users. But then if all the users are switched to Teams only mode then enabling the latter functionality will not be working.

External access lets our Teams users communicate with allowed domains.
Only the allowed domains in the list can communicate with each other.
They cannot be a member of a Teams or any Channels, however they can initiate peer to peer chats, audio , video calls and can join the meeting initiated from Outlook.

As of now below are the features that will be working between external access domains.

With Guest Access anyone with a business or consumer email account, such as Outlook, Gmail, or others, can participate as a guest in Teams. We can grant them access to our existing teams and channels.

Guest access can be further manipulated based on our business requirements with the below options.

Meeting and messaging choices can be further controlled in guest access.

Once the guest access is enabled the end users can go ahead and add external ids like gmail in their channels like below.

The external guest account will receive a descriptive invite which will provide information about Microsoft Teams.

Note: For all the invited external users a corresponding azure AD account will be created in our Tenant with the user type of Guest.

Few users reported challenge in communicating with allowed federated domains.

While most of the users were able to communicate across federated domains and there were few users experiencing the below error.

On further analysis found that there are two federation policies.

And the affected users were assigned to disabled federation access policies.

After moving them to federation only policy the issue got resolved.

Grant-CsExternalAccessPolicy -Identity “S Hameed” -PolicyName FederationOnly

Thanks & Regards

Sathish Veerapandian

Create Customized App Package for Azure Bot and publish them in Microsoft Teams

In the previous article , we had an overview and example of how to start creating Microsoft Azure Bots and integrate with Teams. Furthermore once the bots are integrated with teams ,we would need to create application package for our Azure Bot, so that we can provide better end user experience.

To interpret further once the azure bot is available to the end users via teams it will not be showing to them as an application (example shown below). Providing them as vanilla format will not be more intriguing to the consumers.

In Microsoft Teams there is an option to create a customized app package for our azure bots. Once we create and publish them, it will be available for end users in the app section. From Microsoft Teams users can search and install them on their Teams Client.

With app studio package admins can create their own customized apps for Microsoft Teams and publish them to individual users, teams and globally to the whole organization. Search and install app studio package from app section in Microsoft Teams.

Once after it is installed , open App Studio and use the Manifest Editor to create the App Package.

Here there are two options:

Create a new app – Used to create our own customized app.

Import an existing app – We can import our own customized existing app.

In this section create a new app is selected since the scope is to create an app for an existing azure bot service.

In the app section provide the information as requested.

App ID is crucial here and it must be the value of the Azure Bots from the setting page of the Azure Bots that we are creating the APP Package. Rest all information is descriptive and can be added easily.

There is an option for customized branding to insert the iconic image of our app which will be shown to the end users while interacting and also the terms of use can be added over here.

Capabilities tab is a vital section as this determines the functionality of the bot. Select only the bot section , add the required information and leave the others with default configuration .In above example existing bot must be selected because the app package is been created for an active bot. Provide them a name and use the option select from one of my existing bots.

The other options have to be chosen very carefully based on your bot functionality. For instance choosing My Bot is a one-way functional only for a bidirectional bot will not provide the message input window to the end users during the interaction.

It is important to note that for a 1:1 bot it needs to be selected only in personal scope. Choosing the other options for a 1:1 bot will create a malfunctioning of the app to the end users.

On a security perspective there are few options to restrict, provide SSO and Device permissions.

Provide the below information for the SSO.

And we have the option to control the device permission which is really great.

Having done all these settings above there is an option to test and distribute the created app package.

The easiest way is to install in our own client before distributing them by choosing the first option install your app in teams for testing.

After installation the app is ready to be launched.

Now on a user experience it provides us a prime look to our Azure Bot and looks appealing.

Its better to change the bot profile icon as well to show the same icon in the chat conversation.

Having tested this app from individual level client , now it is time to publish them to all users. Download them as json file and upload it from a teams client with global admin privilege.

The application must be downloaded from the teams client that was used to create this manifest file. Once after its been downloaded we can see it would have been downloaded them as json file along with the associated PNG files.

This zip file needs to be uploaded from the teams client using the option upload a custom app.

Once logged in with Global Admin Credentials – Navigate to store and use the option – upload a custom app.


There is  2 options to upload for me or my teams and upload for the whole tenant which will make the app be available for all users.

Once after its uploaded , successfully this new app for the azure bot will be available for end users and they can search in the store and install them.

Finally the App can be updated to next version with ease of operations or deleted with the below settings from the Teams client with Global Admin Credentials.

There are much more ways to control this app visibility and user experience on teams client like side loading the apps for easier communication , restricting them only via 3rd party apps etc. We will discuss about these configurations in the next upcoming blog.

Thanks & Regards

Sathish Veerapandian

%d bloggers like this: