Microsoft Teams – Configure Azure Log Analytics for Monitoring Teams Room Systems

Intune, Microsoft Teams, Monitoring Tools March 27, 2020 Leave a comment

Microsoft Teams being the best collaborative solution there are lots of smart devices which are equipped with Microsoft teams for providing the smart meeting room systems with modern cameras, microphones and smart display screens. The best part on Teams application is it can function well in all ranges of devices with a support of basic hardware and running on a windows 10 operating system.

While there are numerous approaches to monitor the Microsoft Teams room systems this article we will go through the steps to monitor them through Azure Log Analytics.Like other applications Microsoft Teams App running on room devices will write all the events on the event logs.Through the Microsoft Monitoring agent in Microsoft Teams it allows these events to be collected in Azure log Analytics.

Prerequisites:

  1. Subscription with Azure to configure log analytics workspace.
  2. Teams meeting room system with internet connectivity. There are other methods to collect the logs without internet through  Log Analytics gateway in this approach we are going with direct agent method.
  3. The Teams devices must be running on a windows operating system on all meeting rooms on a KIOSK mode or probably on a full operating system mode based on the requirements.

Create Azure Log Analytics and integrate with Microsoft windows agent.

Log into log analytics workspace

Create new log analytics workspaces. We can use the existing workspace as well and it purely depends on the requirement.

Choose the  required subscription

Once the Log analytics workspace is created , we need to go ahead and download the windows agent. The agent can be downloaded by navigating to Log Analytics Workspaces – Workspace name – Advanced Settings – Connected sources – Windows servers – Download the windows agent.

Install the MMA agent on Teams Skype room system device –

Select only the option connect the agent to azure log analytics (OMS) because in our case we are not monitoring them via a local monitoring agent SCOM.

Enter the workspace ID and the key from the log analytics workspace and select Azure Commercial. If the network is going through proxy then click advanced and provide the proxy configuration. If the device is not having connection to the internet then the agent cannot send the logs to log analytics workspace.

Once installed we can see the Microsoft Monitoring Agent present on the control panel.

Once opened can see the Azure log analytics (OMS) and see the status to be successful.

On editing the workspace we can see the workspace ID and the Workspace Key.

Usually it takes a while to collect the logs to Azure Monitoring agent.

Configure the required logs to monitor:

Once the log analytics workspace is being collected we need to configure the data sources so that the log analytics workspace can start collecting the  required data for monitoring the Teams Room Systems.

In our case for monitoring the teams device, we need to collect teams app logs and few hardware related events. We will look into configuring them now.

Note: We have to be very choosy here on collecting only the required events, since dumping logs to azure log analytics involves cost in it and best recommended to choose only the required events.

In order to collect the logs navigate to advanced settings – Choose data sources – select windows event logs

The key primary log that needs to be collected is Skype Room System (we have to type them completely and click add as this log entry will not autocomplete)

There are few more log events that can be added, but added these logs which might be helping on monitoring the Teams room devices.

Having added the windows event logs, we can navigate to windows performance counters and there are few events which can be added and useful for us to notify when the devices are having any of the below issues on them.

Querying the logs:

Once we have configured the required log sources it’s the time for us to run some queries and see if the logs are been collected. The azure log analytics workspace works well with Kusto Query Language and SQL Query Language.

There are default queries like Computers availability today , list heartbeats and unavailable computers.

Once selecting on the default templates list heart beats and can click on run the below results is obtained.

To see only the Application Event logs we can run the below query

search * | where Type == "Event" | where EventLog == "Application"

To see only the Errors generated in the application event logs

search * | where Type == "Event" | where EventLog == "Application" | where EventLevelName == "Error"

To drill down more and look into the perfmon logs ran the below query to check the system up time.

Perf| where CounterName == "System Up Time"|summarize avg(CounterValue) by bin(TimeGenerated, 1h)

There are lot of queries which can be built from these collected events. Having collected these events , we can configure them to display as dashboards and collect alerting mechanisms for the critical events. In the next post we will have a look at how to configure the alerting systems for critical events that’s happening on the meeting room devices.

Thanks & Regards

Sathish Veerapandian

Microsoft Intune – Configure customized role based access control in a redistributed IT environment.

Azure, Intune, Office 365 March 5, 2020 Leave a comment

In a huge enterprise scale deployments there will be various teams who handles the services with multiple administrator accounts.These executives must be furnished with administrator accounts which are appropriate to their boundaries.Microsoft intune being a device,apps and office 365 administration management there are high prospects that this element may be used over various departments,applications,devices and from various areas. Microsoft Intune having lots of features and capabilities now most of the organizations are moving as managed tenant with Microsoft intune.

For instance there can be multiple app protection policies, device compliance policies, app configuration policies ,etc., are created for multiple services one for meeting room management, another for BYOD devices and for corporate windows devices. In these situations we need to create customized role based access control for each users.

With the default intune admin role assignments, we cannot manage to provide custom permissions and hence need to take little bit different approach in order to deploy in a decentralized environment.

We shall consider a scenario where there are 2 different cases of leveraging Microsoft Intune as a managment authority one for Meeting rooms and another one for managing office 365 and Line of business apps in BYOD devices.

Ideally in this scenario we must be having two sets of policies ,intune services with different role sets and visibility of policies to the administrators.

Below policies for BYOD devices were created –

App Protection Policies

App Configuration Policies

Compliance Policies

Below Policies for Meeting rooms were created –

App Protection Policies

App Configuration Policies

Compliance Policies

Having the policies created now we need to segregate them by tagging to associated admin groups, device groups and scope tags.

Created Admin Groups –

Group 1: MRM Admins – To manage only the Meeting room  intune policies.

Group 2: Pilot Mobile Admins – To manage only the Andriod/IOS Intune  device policies.

Created Device Groups –

Group 1: Meeting Rooms – Created to add the meeting room devices and service accounts. This is required to scope this group in the custom RBAC role that we are creating and targeting for meeting room systems and their service accounts.

Group 2: IntuneMobileDevices – Created to add the BYOD users accounts . This is required to scope this group in the custom RBAC role that we are creating and targeting for byod users.

Created Scope Tags –

Scope Tag 1: Mobile-Admin – To tag all the BYOD mobile IOS/Andriod policies, users and devices. We have added the created group for intune users. One important point to note here is that all new users who needs to be part of intune policies needs to be added to this group.

The policies can be tagged to their related scope tags from the properties page.

Scope Tag 2: SRS-Admin – To tag all the meeting room devices and the service accounts.

In the same way we did for BYOD devices meeting room policies were tagged to this scope tag.

Scope tags are very much required and they are the basic benchmarks which are used to segregate the roles, permissions, devices and users. In this case we have created two scope tags and associated them to their corresponding policies,users,devices and admins.

Created 2 Custom RBAC roles –

Role 1: Meeting Room Admin – Clone copy of policy and profile manager role scoped only to MRM admins group. Tagged this role to SRS-Admin scope tag.

Role 2: Mobile Administrators – Clone copy of policy and profile manager role scoped only to Pilot Mobile Admins  admins group. Tagged this role to Mobile-Admin Scope tag.

The default RBAC roles will provide visibility to all the policies and hence we need to create new roles.Here we have created two clones of the default policy (policy and profile manager). Tagging these two roles to the appropriate scope tags is very important. Ideally scope tags are the components which seperates the role segregation based on policies and users defined on them.

Finally created few policies and tagged them separately for Mobile devices and meeting rooms.

Admin log in experience:

Policies  visibility from Global Admin account where we could see all the policies in the intune portal.

When logging in from mobile admin we see only mobile device policies for byod associated with him.

Only BYOD device compliance policies are present.

In the same way when logging from SRS admin we see only the meeting room policies associated with him.

Only meeting room app protection policies are found.

Caveats :

  1. For custom RBAC role it is requesting an EMS license to be assigned mandatorily for the admin accounts. I attempted the admin accounts without the licenses and it is not working.
  2. Once the policy is applied to admin accounts it is taking almost 24 hours’ time to be in effect.

We can utilize role based access control in combination with scope tags to ensure that the privilege administrator accounts have the correct access and perceivability to the right Intune objects. Scope tags figure out which objects administrators can see from their admin portal.

Thanks & Regards

Sathish Veerapandian

Microsoft Teams – Deploy Information barrier policies for your organization.

Microsoft Teams, Security February 23, 2020 Leave a comment

A year ago Microsoft released the information barrier policies as another security enhancement feature in Microsoft Teams. With this new component it helps the organization to enforce policies which prevents the communication between specific group of people. This is primarily helpful and beneficial for the organizations who are into manufacturing and production units where they would need to adhere certain industry standards and guidelines usually to avoid conflicts of interest.

Before we actually move into deploying the information barrier policies segmentation of the users needs to be done.Ideally the business requirement which falls into compliance category to prevent communications between groups of users in Microsoft Teams. For example a person from Marketing Team cannot make a call,send instant messages or share his desktop to Research department. It can be vice versa or its is only one direction. All the sets of users needs to be identified because this contributes to the number of the segments that we are going to create for this policy to prevent the communication between them.

There are three key elements involved in creating the information barrier policy:

1) Segment the users in your organization.
2) Define Information barrier policies.
3) Apply the information barrier policies.

Below prerequisite needs to be met for creating the information barrier policies:

1) Users must have any one of the following license assigned – Microsoft 365 E5,Office 365 E5,Office 365 Advanced Compliance or Microsoft 365 E5 Information Protection and Compliance.

2) Enable scoped directory search for Microsoft Teams

Scoped directory search can be easily enabled from the teams admin center with the below toggle switch.

3) Turn on the Auditing on the audit log search page in Security and Compliance center. This is required for troubleshooting Information barriers policies. If we do not see them turned on then it is already enabled.

4) No address book policy should be enabled if we need this feature. Because Information barriers are based on address book policies and if we have them it might create a conflict and start working based on the configured address book policy.

5) Grant Admin consent for information barriers in Microsoft Teams.

Login-AzureRmAccount 
$appId="bcf62038-e005-436d-b970-2a472f8c1982" 
$sp=Get-AzureRmADServicePrincipal -ServicePrincipalName $appId
if ($sp -eq $null) { New-AzureRmADServicePrincipal -ApplicationId $appId }
Start-Process  "https://login.microsoftonline.com/common/adminconsent?client_id=$appId"

Once we run the above command global admin with the required privilege needs to grant admin consent to the information barrier processor app. This helps information barriers from removing persons from chat sessions where they are not supposed to be in them.

6) Ensure that the required data user attributes are populated in the user attribute fields which is required to identify and apply the information barrier policy.

In our example we’ve chosen 2 ideal candidates and populated the department attribute value which will be used for segmentation.

Now we need to segment users which means “Block” policies prevent sales group from communicating with research group.

In order to accomplish this task we need to connect to office365 security and compliance powershell module

In our example we can take two groups marketing and research where they both shouldn’t communicate with each other.

New-OrganizationSegment -Name "Marketing" -UserGroupFilter "Department -eq 'marketing'"

The above example creates a segment of users who are only from marketing department.

In our case we need to create one more segment of users where they belong to research team

New-OrganizationSegment -Name "research" -UserGroupFilter "Department -eq 'research'"

Now we have created the segment the information barrier policies needs to be created. Now we have to keep few things very clear in mind while applying the information barrier policies. For instance two policies cannot be applied to one segment of users. It is always advisable to make this information barrier policy to inactive status once they are created. Later we can edit this and apply for all users.

When we block communication between two segments in our case marketing and research we need to define two policies. A very important point to note is that each policy blocks communication one way only.

New-InformationBarrierPolicy -Name "Marketing-Research" -AssignedSegment "Research" -SegmentsBlocked "Marketing" -State Inactive

Now we need to create another policy to block the marketing department to communicate with research.

Activate the information barrier policy

Set-InformationBarrierPolicy -Identity GUID -State Active

We can verify the information barrier policies that we have created to ensure they have the correct values as per our requirement.

Now we need to start the information barrier policies with the below command

Start-InformationBarrierPoliciesApplication

As per the information we’ve received in the above command we need to wait for a while until the deployment gets completed in our tenant and will be successful once the status becomes completed.

Testing the information barrier policy to applied recipient.

Now logged in as Vijay Raghavan user from Marketing Team while attempting to search for Clen Richard from Research he gets an empty result.

However he is able to lookup for other users.

The users who are applied in this policy will not be able to add the blocked users in any of their teams as well.

The same thing happens for the other user Clen Richard on attempting to talk to the user from Marketing Team.

Subsequently the information barriers adds a great value to any organization to uphold the communication compliance with few easy steps from the office 365 security ad compliance center and consistently utilize Microsoft Teams.As of now information barriers apply to Microsoft Teams chats and channels only.

Microsoft Teams – Utilize the AzureADMSGroupLifecyclePolicy command to manage the teams group life cycle

Microsoft Teams, Security February 16, 2020 Leave a comment

With the Azure active directory powershell commandlets, we could control the lifecycle of office365 groups.Ideally when any office365 group is created for an action of creating a team in the backend it creates the azure ad group.With the Azure commandlets we have options to control the lifecycle of the office365 groups automatically.

Let’s say we ‘ve created Team for a partner project which completes in 1 year time period, we have got an option to expire this team in 1 year time during the team creation.This keeps the access reviews of the Microsoft Teams intact and ensures that only required persons have access to the company corporate data.

The default setting is unlimited days as it should be for most of the scenarios.

Firstly we need to connect to azuread module from the powershell. Since we do not have any group life cycle policy the value remains empty.

Below example creates a a new groupLifecyclePolicy. This policy can be applied to targeted set of office 365 groups.

New-AzureADMSGroupLifecyclePolicy -GroupLifetimeInDays 99 -ManagedGroupTypes "groupid" -AlternateNotificationEmails "sathish@ezcloudinfo.com"

The managed group type parameter provides us the option to choose how we can manage the groups in our environment. Keeping the value “None” will create the policy but will not be applied to any groups. Specifying them “All” will apply this policy to all Office 365 groups. “Selected” will provide us the option to choose specific Office 365 groups.

To test this we can try to apply this policy to single group Teams-Partners. This group was created as an action of creating a team in Microsoft Teams.


In order to apply to a group we have to run the below command by specifying the group ID.

Get-AzureADMSGroupLifecyclePolicy -Id "admsgroupid" | Add-AzureADMSLifecyclePolicyGroup -GroupId "ID"

If we need to apply this to a group of ID’s which were reviewed and require to set expiry we can apply them from a input csv.

$policy = "mentionthepolicyID"
#keep the groupid as the input value in the csv
$365group = import-csv ".\365group.csv" 
Foreach ($group in $groups) {
Add-AzureADMSLifecyclePolicyGroup -Id $policy -groupId $group.objectId}

We can run this on a periodic interval after performing access review on the Office 365 groups.There is also an option to notify the group owner on a particular period of time to review if they still require this group to be in the system. Keeping this option will remind the owner of the group who created the team to decide if they require to provide access to the users and external parties if the guest users are added to them.

We can then verify if it is applied for a group by using the commandlet Get-AzureADMSLifeCyclePolicyGroup by specifying the group id. This will return the output of to which AzureADMSgroup it have been assigned. We do have an option to extend the grouplifetime to our desired interval.

There are few organizations where the Office 365 group and teams group creation is provided as self service to users to increase the Office 365 adoption rate.In those cases the admin can review the groups created once in a month and apply the expiration policy for them.

This option will be better for the admins to create the expiry of the groups as per the company security policy.If we are doing a periodic review we can also use a input CSV for the selected groups and can apply the policy to these selected groups.

Microsoft Teams – Notify security administrator when a new team is created by the end users

Microsoft Teams, Security February 13, 2020 Comments: 4

Microsoft Teams is being used as a most preferred method of communication platform by many organizations. By default in office 365 the group creation is enabled for end users which will allow them to create public and private groups. Few organizations are having the group creation disabled on the organization level for larger scale companies and have users request for creating the teams using a request form which will run through a automation process in the background with help of azure automation accounts ,Microsoft flow or few other mechanisms.

But few organizations are really interested in allowing the users to create the Office 365 groups once their workloads are migrated to office 365. This is primarily to increase the adoption rate of Office 365 workloads Microsoft Teams and SharePoint online.

We have more options available in Office 365 cloud app security. By leveraging these options we can better secure the Office 365 suite of products which in turn controls the Data loss prevention, security compliance, information governance and threat management for the entire organization.

Through Cloud App Security –

Navigate to Cloud App Security – https://portal.cloudappsecurity.com

Select and create Activity Policy

Do not choose any policy templates – select policy severity – category as per classification – Have selected compliance in below example.

Choose the acton single activity – activity type – equals – Team Created.

There is another alternative to create the policy as below by choosing the teams app. Going with this approach provide us more options like to get notified when teamsettingchanged,cut/copy item. adding a channel, changing a channel settings and when a team is deleted. There are lot of other actions which can be added based on our requirement.

Choose the severity and specify the email notification alert with no action.

The security administrators responsible for viewing this new group creation alerts can be added over here.

Further governance actions can be specified. We have an option to notify user and cc additional user with custom message.

The custom message can be added over here. There is an option to add a hyperlink as well.

When a new team is created by the end user the specified email address is notified.

We get more information on the cloud app security alerts.

We can use cloud app security for other activities in office 365 applications as well to notify the security administrators or the SOC team, so that they will be able to monitor the events which are categorized as non-compliance in Office 365 organization according to their security guidelines.

Thanks & Regards

Sathish Veerapandian

Review and Remove inactive guest users from Microsoft Teams through Identity Governance – Access reviews

Microsoft Teams, Security January 31, 2020 Leave a comment

When an office 365 group is created, we have options to collaborate with public partner accounts .As a result of this People outside organization can see and have access to office365 public groups contents when they are been invited as guests.

When we have allowed the end users to create the office 365 groups and invite the external partners to collaborate,over a period of time the groups left unattended without the access reviews. There is a high possibility of an user having access to the sensitive documents which they don’t need them anymore.

In order to alleviate these security issues , we can influence the Microsoft Azure Identity Governance – Access reviews

With the access reviews created for office365 groups , we can let the group owners review their office 365 public group guests present on them and take necessary action based on the requirement.

In order to create access review navigate to azure portal – Identity Governance – Access reviews – Click on access review – Select New access review.

Now we can create them with name ,description , start date and frequency of how often the access reviews needs to take place for the office365 groups.

We can set the number of times, end date and the scope to guest users only. And target the external groups which have the guest users added. Probably this part needs to be reviewed periodically and add the new groups in this list.

Furthermore we have the options to customize the reviewers who will be the reviewers of this access review task.

Upon completion we have the action to choose – Remove,Approve or take recommendations.

Finally we have few options which is present in the advanced settings. Once the customization is done as per the requirement we can start the review.

Once the schedule is triggered as per the configuration the reviewers get an email with the timeline.

Once clicked on review the user gets the guest user details and the options to take action based on the business requirement.

The reviewer gets an option to type the comment and take the necessarily action.

We have the review results section where we have an option to download the access review tasks and save them for ISO audit compliance which will help during the ISO Audit Evaluation cycles.

This is usual in most of the organizations when the guest accounts are provided access to the business sensitive content. Ultimately its the group owner’s responsibility to periodically review them and take necessary actions.

There is lot more to get benefited with Identity Governance access reviews. The above method will help us in evaluating and having right access only to the required individuals in Office 365 Groups.

Regards

Sathish Veerapandian

Microsoft Teams – Enable data loss prevention,ATP safe attachments,retention of files and conversations

Microsoft Teams, Retention Policies, Security December 17, 2019 Leave a comment

Security is considered one of the success factor for any implementations.With Office 365 security and compliance there are lot of options to enforce the security across Office 365 suite of products.We can enforce DLP on Microsoft Teams based on our requirement. ATP can be turned on for all file upload activities in Microsoft Teams. The best part is that now we do have option to enable retention as lesser as 1 day in Microsoft teams channel messages and chats.

Microsoft Data Loss Prevention have been protecting sensitive information across all Office365 platforms. The easiest part is that we already have more custom built-in templates which will be easier for us to create,test,evaluate the results and finally create one for the production.

DLP Policy in Teams:

To create a dedicated DLP policy for Teams navigate to security and compliance center – Create a new policy.

In our example we are creating a new policy which will block the sharing of PAN card number via teams channels and chats.

In locations tab ensure that we are selecting teams chat and channel messages if the location is going to be only teams. If we need on all locations then we can keep them all enabled.

Under policy settings we do have lot of prebuilt templates which is super simple for us to just select and apply. In our case we are just selecting Block Indian PAN CARD number not to be shared via teams channels and chat messages.

Now we’ve created the teams data loss prevention policies and its time for us to test the created policy.

Have just logged into my test account and attempted to send a PAN Card to my account. The moment the PAN card is shared it is immediately blocked from the DLP policy.

And from the recipient end received the following message and the message is not delivered since it matches our DLP policy.

With the DLP policy we will be able to secure our sensitive information in Teams Channels and chat conversations.

Enable safe attachments on Teams Channels and chats :

Enabling ATP on Teams is pretty straight forward.

We need to navigate to protection security center – threat management – policy – select safe attachments.

All we need to do is to just select turn on ATP for SharePoint, One Drive and Microsoft Teams.

Once the policy is enabled and when somebody attempts to share an infected file the file is blocked but still present in the library, however no one will have the ability to open them from their side.

Files are scanned asynchronously, through a process that uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.

To review the quarantined files we can go to threat management – review – select view quarantined files

Enable Retention in Microsoft Teams channels and chat conversations:

By default teams conversations and files are retained forever. With the new retention policy introduced in Microsoft teams channels and chats now admins have the option to customize the retention and delete the data forever if it is considered as liability according to the company retention policy.

In-order to create retention policies navigate to security center – select information governance – select retention – click create

Have created once dedicated policy for Teams Retention.

Now we choose the retention settings as per our requirement. The good part is that we do have the option now to retain the content lesser to even 1 day time.

Now we need to create a new retention policy for Microsoft Teams. If we try to edit the old retention policy there wouldn’t be an option to include Team Channel Messages and Chats , since these locations were on-boarded recently in the retention policy scopes.

Once selected based on the retention period all the Teams channel messages and chats are retained.

If end users delete their Teams messages, these messages are still preserved and available for search through eDiscovery for particular years based on the retention period set in the policy.

In order to recover a deleted file from channels – navigate to the channels – files tab – select open in sharepoint

Now after clicking on open in SharePoint – navigate to recycle bin and we could see the deleted file present.

We do have the same restore option like what we see in SharePoint sites.

With all the new security enhancement and retention channels enabled in Microsoft Teams it makes more convenient better communication platform for all users in the enterprise environment.

Microsoft Teams – Enforce Multifactor Authentication on guest accounts

Azure, Microsoft Teams, Security December 9, 2019 Comments: 8

Post the ignite sessions last month on Microsoft Teams, we have enhancements on security perspective that can be enabled which adds extra protection in any organization.

Inviting the external guest users to the teams channel have been a welcoming option for all of us which increases the communication between them and surges the productivity. However, there are few security guidelines that needs to be followed to ensure that our data is always secure even when they are shared outside the boundary. For instance, a guest account getting compromised where he is a member of a finance team will become a major security incident in any organization.

This article outlines the steps that can be carried over to enhance the security on Microsoft Teams guest accounts by enforcing the multi factor authentication.

Below are the steps to enforce the MFA on guest accounts:

First create a dynamic distribution group and target the guest account

Login to Azure AD Tenant with Admin privilege’s- Go to Groups – Create new group – make them security – membership type make them dynamic.

Now we need to add a dynamic query where the property is usertype  and the value is guest.

Once done populate the rule syntax and save them.

After some time now, we could see that the populated guest users in our Azure AD tenant will become the members of this group. Since it’s a dynamic query all the new upcoming accounts will be getting occupied automatically.

Create conditional access policy for guest accounts:

Now we need to create a conditional access policy for the Microsoft Teams guest accounts.

Navigate to enterprise applications – click on conditional access.

Now we need to target the dynamic group on this conditional access policy.

In cloud apps select Microsoft Teams , also better to select Sharepoint online which will enforce MFA for these Sharepoint guest users as well.

In conditions we are selecting only the locations. Further it can be manipulated based on the business prerequisite.

In the access control we are selecting only require MFA and the IT policy.

Now we have the MFA enforced on the guest accounts and we will see the action of this configuration from the invited user.

Experience of the guest users enforced with MFA:

In order to simulate this behavior , we are just adding one guest user a teams channel

Post after that the invited user receives  a welcome email and this is usual behavior for any invited Azure AD guest user accounts.

When clicking to login the user will be prompted to register and enroll in MFA.

User will be prompted to enter the mobile number in the invited tenant for MFA and needs to complete the initial authentication process.

If we have enabled the IT policy user will be prompted to read and accept the IT policy.

Finally the user is logged in with the guest account and able to participate on the invited team through a secured way of authentication.

With very nominal steps through the conditional access it creates a overall better security for Microsoft Teams.

Use Azure Automation accounts, Run Books and Schedules to start stop VMs automatically running in Azure

Automation, Azure November 20, 2019 Leave a comment

By using this article, we can start/stop VMs during off-business houses.This greatly benefits the customers especially in cost optimization and manual task overhead of performing this action manually. But we need to make sure that the VMs that we are selecting is present in the same subscription where the automation account and this schedule is created by selecting only the required VMs and excluding the other VMs.

Login to Azure portal

Go to ALL Services and Type Automation Account and Create Automation Account.

Under Process Automation, click Runbooks to open the list of runbooks.

Click on + Create a runbook button to create a new runbook

Provide and Name and Runbook Type as PowerShell for the new runbook and then click Create button.

The Run Book is Empty, must deploy the Code  then Save and Publish

Note: You can Find lot of powershell scripts for this task in the github and technet gallery. You can use the below one as well taken from github.

#PowerShell Script to Start and Stop VM's in Azure on Scheduled Intervals using Azure Automation Account#
Param(
[Parameter(Mandatory=$true,HelpMessage="Enter the value for Action. Values can be either stop or start")][String]$Action,
[Parameter(Mandatory=$false,HelpMessage="Enter the value for WhatIf. Values can be either true or false")][bool]$WhatIf = $false,
[Parameter(Mandatory=$false,HelpMessage="Enter the VMs separated by comma(,)")][string]$VMList
)

function ValidateVMList ($FilterVMList)
{
[boolean] $ISexists = $false
[string[]] $invalidvm=@()
$ExAzureVMList=@()

foreach($filtervm in $FilterVMList) 
{
    $currentVM = Get-AzureRmVM | where Name -Like $filtervm.Trim()  -ErrorAction SilentlyContinue

    if ($currentVM.Count -ge 1)
    {
        $ExAzureVMList+= @{Name = $currentVM.Name; Location = $currentVM.Location; ResourceGroupName = $currentVM.ResourceGroupName; Type = "ResourceManager"}
        $ISexists = $true
    }
    elseif($ISexists -eq $false)
    {
        $invalidvm = $invalidvm+$filtervm                
    }
}

if($invalidvm -ne $null)
{
    Write-Output "Runbook Execution Stopped! Invalid VM Name(s) in the VM list: $($invalidvm) "
    Write-Warning "Runbook Execution Stopped! Invalid VM Name(s) in the VM list: $($invalidvm) "
    exit
}
else
{
    return $ExAzureVMList
}
}

function CheckExcludeVM ($FilterVMList)
{
[boolean] $ISexists = $false
[string[]] $invalidvm=@()
$ExAzureVMList=@()
<pre><code>foreach($filtervm in $FilterVMList) 
{
    $currentVM = Get-AzureRmVM | where Name -Like $filtervm.Trim()  -ErrorAction SilentlyContinue
    if ($currentVM.Count -ge 1)
    {
        $ExAzureVMList+=$currentVM.Name
        $ISexists = $true
    }
    elseif($ISexists -eq $false)
    {
        $invalidvm = $invalidvm+$filtervm
    }

}
if($invalidvm -ne $null)
{
    Write-Output "Runbook Execution Stopped! Invalid VM Name(s) in the exclude list: $($invalidvm) "
    Write-Warning "Runbook Execution Stopped! Invalid VM Name(s) in the exclude list: $($invalidvm) "
    exit
}
else
{
    Write-Output "Exclude VM's validation completed..."
}    </code></pre>
}
<h1>-----L O G I N - A U T H E N T I C A T I O N-----</h1>
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
<pre><code>"Logging in to Azure..."
Add-AzureRmAccount `
    -ServicePrincipal `
    -TenantId $servicePrincipalConnection.TenantId `
    -ApplicationId $servicePrincipalConnection.ApplicationId `
    -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint </code></pre>
}
catch
{
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
<h1>---------Read all the input variables---------------</h1>
$StartResourceGroupNames = Get-AutomationVariable -Name 'RG-Of-VMs-To-Start'
$StopResourceGroupNames = Get-AutomationVariable -Name 'RG-Of-VMs-To-Stop'
$ExcludeVMNames = Get-AutomationVariable -Name 'Excluded-List-Of-VMs'

try
{
$Action = $Action.Trim().ToLower()
<pre><code>    if(!($Action -eq "start" -or $Action -eq "stop"))
    {
        Write-Output "`$Action parameter value is : $($Action). Value should be either start or stop."
        Write-Output "Completed the runbook execution..."
        exit
    }            
    Write-Output "Runbook Execution Started..."
    [string[]] $VMfilterList = $ExcludeVMNames -split ","
    #If user gives the VM list with comma seperated....
    $AzurVMlist = Get-AutomationVariable -Name $VMList
    if(($AzurVMlist))
    {
        Write-Output "list of  all VMs = $($AzurVMlist)"
        [string[]] $AzVMList = $AzurVMlist -split ","        
    }
    if($Action -eq "stop")
    {
        Write-Output "List of  all ResourceGroups = $($StopResourceGroupNames)"
        [string[]] $VMRGList = $StopResourceGroupNames -split ","
    }

    if($Action -eq "start")
    {
        Write-Output "List of  all ResourceGroups = $($StopResourceGroupNames)"
        [string[]] $VMRGList = $StartResourceGroupNames -split ","
    }

    #Validate the Exclude List VM's and stop the execution if the list contains any invalid VM
    if (([string]::IsNullOrEmpty($ExcludeVMNames) -ne $true) -and ($ExcludeVMNames -ne "none"))
    {
        Write-Output "Values exist on the VM's Exclude list. Checking resources against this list..."
        CheckExcludeVM -FilterVMList $VMfilterList 
    } 
    $AzureVMListTemp = $null
    $AzureVMList=@()

    if ($AzVMList -ne $null)
    {
        ##Action to be taken based on VM List and not on Resource group.
        ##Validating the VM List.
        Write-Output "VM List is given to take action (Exclude list will be ignored)..."
        $AzureVMList = ValidateVMList -FilterVMList $AzVMList 
    } 
    else
    {

        ##Getting VM Details based on RG List or Subscription
        if (($VMRGList -ne $null) -and ($VMRGList -ne "*"))
        {
            foreach($Resource in $VMRGList)
            {
                Write-Output "Validating the resource group name ($($Resource))"  
                $checkRGname = Get-AzureRmResourceGroup -Name $Resource.Trim() -ev notPresent -ea 0  

                if ($checkRGname -eq $null)
                {
                    Write-Warning "$($Resource) is not a valid Resource Group Name. Please verify your input"
                }
                else
                {    
                    # Get resource manager VM resources in group and record target state for each in table
                    $taggedRMVMs =  Get-AzureRmVM | ? { $_.ResourceGroupName -eq $Resource} 
                     foreach($vmResource in $taggedRMVMs)
                    {
                        if ($vmResource.ResourceGroupName -Like $Resource)
                        {
                            $AzureVMList += @{Name = $vmResource.Name; ResourceGroupName = $vmResource.ResourceGroupName; Type = "ResourceManager"}
                        }
                    }
                }
            }
        } 
        else
        {
            Write-Output "Getting all the VM's from the subscription..."  
            $ResourceGroups = Get-AzureRmResourceGroup 

            foreach ($ResourceGroup in $ResourceGroups)
            {    

                # Get resource manager VM resources in group and record target state for each in table
                $taggedRMVMs = Get-AzureRmVM | ? { $_.ResourceGroupName -eq $ResourceGroup.ResourceGroupName}

                foreach($vmResource in $taggedRMVMs)
                {
                    Write-Output "RG : $($vmResource.ResourceGroupName) , ARM VM $($vmResource.Name)"
                    $AzureVMList += @{Name = $vmResource.Name; ResourceGroupName = $vmResource.ResourceGroupName; Type = "ResourceManager"}
                }
            }

        }
    }

    $ActualAzureVMList=@()

    if($AzVMList -ne $null)
    {
        $ActualAzureVMList = $AzureVMList
    }
    #Check if exclude vm list has wildcard       
    elseif(($VMfilterList -ne $null) -and ($VMfilterList -ne "none"))
    {
        $ExAzureVMList = ValidateVMList -FilterVMList $VMfilterList 

        foreach($VM in $AzureVMList)
        {  
            ##Checking Vm in excluded list                         
            if($ExAzureVMList.Name -notcontains ($($VM.Name)))
            {
                $ActualAzureVMList+=$VM
            }
        }
    }
    else
    {
        $ActualAzureVMList = $AzureVMList
    }

    Write-Output "The current action is $($Action)"

    $ActualVMListOutput=@()

    if($WhatIf -eq $false)
    {   
        $AzureVMListARM=@()


        # Store the ARM VM's
        $AzureVMListARM = $ActualAzureVMList | Where-Object {$_.Type -eq "ResourceManager"}


        # process the ARM VM's
        if($AzureVMListARM -ne $null)
        {
            foreach($VM in $AzureVMListARM)
            {  
                $ActualVMListOutput = $ActualVMListOutput + $VM.Name + " "
                #ScheduleSnoozeAction -VMObject $VM -Action $Action

                #------------------------
                try
                {          
                    Write-Output "VM action is : $($Action)"
                    Write-OutPut $VM.ResourceGroupName

                    $VMState = Get-AzureRmVM -ResourceGroupName $VM.ResourceGroupName -Name $VM.Name -status | Where-Object { $_.Name -eq  $VM.Name }
                    if ($Action.Trim().ToLower() -eq "stop")
                    {
                        Write-Output "Stopping the VM : $($VM.Name)"
                        Write-Output "Resource Group is : $($VM.ResourceGroupName)"


                        if($VMState.Statuses[1].DisplayStatus -ne "VM running")
                        {
                            Write-Output "VM is not in running state, No actions performed"
                        }
                        else
                        {
                            $Status = Stop-AzureRmVM -Name $VM.Name -ResourceGroupName $VM.ResourceGroupName -Force

                            if($Status -eq $null)
                            {
                                Write-Output "Error occured while stopping the Virtual Machine."
                            }
                            else
                            {
                                Write-Output "Successfully stopped the VM $($VM.Name)"
                            }            
                        }

                    }
                    elseif($Action.Trim().ToLower() -eq "start")
                    {
                        Write-Output "Starting the VM : $($VM.Name)"
                        Write-Output "Resource Group is : $($VM.ResourceGroupName)"

                        if($VMState.Statuses[1].DisplayStatus -eq "VM running")
                        {
                            Write-Output "VM already Running, No actions performed"
                        }
                        else
                        {
                            $Status = Start-AzureRmVM -Name $VM.Name -ResourceGroupName $VM.ResourceGroupName

                            if($Status -eq $null)
                            {
                                Write-Output "Error occured while starting the Virtual Machine $($VM.Name)"
                            }
                            else
                            {
                                Write-Output "Successfully started the VM $($VM.Name)"
                            }
                        }
                    }      

                }
                catch
                {
                    Write-Output "Error Occurred..."
                    Write-Output $_.Exception
                }
                #--------------------------
            }
            Write-Output "Completed the $($Action) action on the following ARM VMs: $($ActualVMListOutput)"
        }


    }
    elseif($WhatIf -eq $true)
    {
        Write-Output "WhatIf parameter is set to True..."
        Write-Output "When 'WhatIf' is set to TRUE, runbook provides a list of Azure Resources (e.g. VMs), that will be impacted if you choose to deploy this runbook."
        Write-Output "No action will be taken at this time..."
        Write-Output $($ActualAzureVMList) 
    }
    Write-Output "Runbook Execution Completed..."
}
catch
{
    $ex = $_.Exception
    Write-Output $_.Exception
}

Now in Automation Account, under Shared Resources click Variables and add these variables [Note: while creating the variables you have to provide some Value, later you can delete the value if required]


Explanation of these variables-

RG-Of-VMs-To-Start: ResourceGroup that contains VMs to be started. Must be in the same subscription that the Azure Automation Run-As account has permission to manage.

RG-Of-VMs-To-Stop: ResourceGroup that contains VMs to be stopped. Must be in the same subscription that the Azure Automation Run-As account has permission to manage.

Excluded-List-Of-VMs: VM names to be excluded from being started/Stopped

Note: These Variables are defined in the PowerShell Code and should not be changed if used by default.

VMstoStartStop: Provide the list of the VMs to be started or stopped.

Now we will create schedule for the start & stop of VMs. Under Shared Resources, click on Schedules and then click + Add a schedule and provide a Name and time and recurrence frequency for the schedule and Click Create

Similarly create schedule for Stop_VM


Now we will attach these schedules with the runbook. Go to Runbook and then open the runbook, click schedules and then + Add a schedule

Now link Start_VM and then provide parameter values. ACTION can have values like start or stop. In VMLIST provide the variable name “VMstoStartStop” which contains the VM names. Click create

Similarly attach the Stop_VM and provide the Action value Stop and VMList value VMstoStartstop.

So now we have two schedules start-vm and stop-vm which would be running on the defined schedules.

Now your runbook will execute the start of VM and stop of VM as per the schedule attached. The results of runbook execution can be seen under Process Automation –> Jobs.

This task greatly benefits the hassle of maintaining and performing this task manually from the admin side.

Extend local AD extension attributes to Azure AD in a non-hybrid exchange online only environment

Active Directory, Azure November 19, 2019 Leave a comment

There might be a scenario where the environment has Azure AD synced users from local Active Directory. The mailboxes will be created directly in exchange online with no hybrid configured from the underlying time as a rule for new businesses.

Usually developers for customizing the login experience for different business units in their application consume the local extension AD attributes and its usually fine for fully on premise environments.

If we have exchange installed in the environment , the active directory schema will be extended to include user extensionattributes in the exchange mailbox properties.

There is another option of Using the Exchange Server install media, extend only the local Active Directory schema. Usually this option is not recommended. Doing this would add Exchange attributes to the local Active Directory. These attributes could then be set, and Azure AD Sync would then be configured to sync these attributes to Office 365.This option requires much testing, and there is always risk associated with AD schema changes.

Even in hybrid setup these values gets populated in Exchange online via exchange hybrid configuration for all users.

In the third scenario where we do not own a exchange hybrid and if the developer is using Azure AD via graph API and expecting these values on azure AD for the customization. In this case we have a better option of extending these values from the Azure AD connect by running them again and selecting only the required AD extension attributes.

Login to Azure AD with global admin credentials and select customize synchronization options

Select directory extension attribute sync.

Here we will have the option to choose the local active directory attributes. In our case we are selecting the two atttributes extensionattribute7 and extensionattribute8 .

Once done go ahead and click on configure.

It must be working usually in this steps but in this case we did a directory refresh schema.

Selected the directory for refresh.

Now went to the local Active Directory and populated the extensionattribute8 for one user.

Once after the sync is completed we can verify if the value is populated in the azure ad via graph explorer.

Login to the graph explorer from the below url.

https://developer.microsoft.com/en-us/graph/graph-explorer

We can login with any valid credentials from your tenant.

We will be asked for the admin consent and needs to be selected based on the requirement.

Run the below query.

https://graph.microsoft.com/v1.0/me?$select=mail,jobTitle,companyName,onPremisesExtensionAttributes

For Reading on premise attributes (mail, jobTitle, company Name and onPremisesExtensionAttributes) using Graph API. You should see the extensionAttribute8 under onPremisesExtensionAttributes which is being used currently.

In our case we can see the extension attribute8 value which has been synched and available in Azure AD.

Using the directory extension option in the azure ad connect achieves this task in a lot less simpler way.

Thanks & Regards

Sathish Veerapandian

<span>%d</span> bloggers like this: