Azure – Setup Azure Blueprints

Challenge: Separate subscriptions for multiple disciplines under the same Azure Active Directory Tenancy.

Required : Each subscription to have the same role assignments

Solution : Azure Blueprints to define a repeatable set of Azure resources

How ?

Azure Blueprints provides

  • Role & Policy Assignments
  • ARM templates
  • And Resource Groups

Reference guides

Getting Started Azure Blueprints (PREVIEW)

Creating Blueprint Guide – Focused on Roles

Create a blue print, if your new, start with a sample predefined Blueprint.

For this example I have selected Resource Groups with RBAC (Role-based Access Control)

Create blueprint> Enter Name, Description and Definition Location

Next : Artifacts

Click Save Draft


How to Publish Blueprint

Click Blueprints > Blueprint Definitions > Select the version to publish


Click Publish blueprint.

Enter version and change notes > Click Publish

Azure – Advisor

Sample screen shots of Azure Advisor

Recommendations : Cost , Security, High Availability, Performance, Operational Excellence

Example Recommendations report export, output as a PDF or CSV

Azure – AD Identity Protection

This feature looks to identify activity and assign a risk level. Risk detection and remediation”

All features look to be available in Azure AD Premium P2 and restricted number of features in Azure Premium P1 and Basic/Free.

Key differences are the notifications options only in Azure AD Premium P2.

There are three default polices

  1. User Risk
  2. Sign-In Risk
  3. MFA Registration

Example of the Identity Protection Policies

Reference How To Guides :

  1. How To: Configure the Azure Multi-Factor Authentication registration policy
  2. How To: Configure and enable risk policies
  3. How To : Identity protection configure notifications

Azure – Log Analytics Workspace and AzureVirtual Machine Agent Install

How to prepare to collect security log data from your Azure Windows virtual machines. You require two things:

  1. Log Analystics Workspace to be created
  2. The agent to be installed on the Virtual machine.

This guide shows how to setup the workspace and install the agents on the virtual machine.

Create a Log Analytics Workspace

Pricing is Pay as you go

Next you connect to the data source

Click Virtual Machines > Select Virtual Machine and click Connect.

The Agent is then automatically installed and ready to configure for the log analytics workspace

Next Configure workspace under advanced settings. See MS Doc Quick Start Guide

Windows event log collect from Windows VM

  • Click Data > Windows Event Logs.
  • Add an event log. Example type System and then select “+”.
  • In the table, check the options Error and Warning.
  • Select Save at the top of the page to save the configuration.

Azure – Configure Management Locks – Prevent Accidental Deletion Of Core Resources

Locking prevents the accidental deletion or modifying of critical resources. Example Azure Subscription, Resource Group, Network, Files, VMs.

How to configure Management locks to prevent the accidental deletion of core networks?

In this example we will put a “Delete” lock on a virtual network.

Virtual Network > Select the network > Locks > Add > Name + Set lock type to delete > Ok

Configured

To remove a lock / delete the lock

AZURE – Control Storage Access by Networks

We have a storage account, “StorageV2 (general purpose v2)” and its can be accessed initially from all networks. We now want to restrict the storage access to an approved network location.

How?

Click on the storage account > Firewalls and virtual networks and click “selected networks”

You can allow access from virtual networks or allow access through the firewall. Example below adds a Virtual network name and an external IP range. Then click Save.

Azure – Update Management

How to maintain the patch status of your Windows and Linux machines

You can use Update Management in Azure Automation to manage operating system updates for your Windows and Linux machines in Azure, in on-premises environments, and in other cloud environments.” Microsoft

To enable on a specific virtual machine in Azure

Note – You only pay for logs stored (Log Analytics)

Enabling the option can take up to 15mins

Useful reference links

Bulk Add Azure VMs and Non Azure Machines

Azure – Route Tables – How To Force Traffic Down A Specific Route

“Create a route table when you need to override Azure’s default routing.”

Why?

  • To force internet traffic via the on-prem network
  • Route via a NGFW (Next Generation Fire Wall)

Scenario Example, if I want to force all traffic via a proxy / NGFW (zScaler) for SSL inspection, Web security, Internet security etc, to control, monitor and protect your business the internet traffic. You could even go one step further and restrict access to approved IP’s or the Proxy / zScaler for Microsoft 365 or Azure access further.

How?

Create a route table > Add >

Set a name

Add route to your table and select the next hop

Example Route set

Office 365 Additional Security, Require MFA to Domain Join Devices in Azure Active Directory

How to enable the feature to prompt for Multi Factor Authentication when joining a device to an Azure Active Directory domain. We would also like to limit the number of devices a user can have to 5.

Start in Azure Active Directory Admin Center

Select Azure Active Directory > Devices

Under Devices click “Device Settings”

Now you can set the max number of devices per user and enforce MFA to join devices