Azure VPN Azure Active Directory authentication

Create Azure P2S VPN with Azure AD authentication

A couple of days ago, we announced that you now can use Azure Active Directory to authentication Point-to-Site (P2S) VPN connections to your Azure virtual network. Before you were able to connect to your Azure virtual network (VNet) by using certificate-based or RADIUS authentication, however, if you are using the Open VPN protocol, you can now also use Azure Active Directory authentication. In this blog post, I will walk you through how you can set up an Azure P2S VPN connection using Azure AD authentication.

Prerequisites

To set this up, you will need a couple of things in place before we get started. Here are the prerequisites:

If you already have this in place, you are good to go.

How to configure Azure P2S VPN with Azure AD authentication

First, you will need to look up your Azure AD Directory ID that you want to use for authentication. It is listed in the properties of the Azure AD page.

Azure AD Directory ID

Azure AD Directory ID

Next, you will need to give admin consent. You can copy this URL to your browser’s address bar. This URL is for Azure Public, if you are deploying in Azure Government, Azure Cloud Germany or Azure China, check out the following Microsoft Docs article.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

You will be prompted to accept the Azure AD VPN application. You will need to log in with an account that has Global Admin rights.

If you now go back to the Azure Active Directory tenant, you can see the in Enterprise applications, and you see Azure VPN listed.

Azure AD Azure VPN App

Azure AD Azure VPN App

After that, you will find the Azure VPN application registered in your Azure Active Directory.

Registered App

Registered App

Enable Azure AD authentication on the VPN gateway

Now we need to configure the Azure Virtual Network Gateway itself. For that, you will need to have a functional point-to-site VPN environment already (see prerequisites). If you don’t have one, you can follow these steps here: Configure a Point-to-Site VPN connection to a VNet using native Azure certificate authentication: Azure portal

To enable Azure AD authentication on the Azure Virtual Network Gateway (VPN Gateway), you need to run the following Azure PowerShell commands.

$gw = Get-AzVirtualNetworkGateway -Name "name of VPN gateway" -ResourceGroupName "Resource group"
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -VpnClientRootCertificates @()
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -AadTenantUri "https://login.microsoftonline.com/your Directory ID" -AadAudienceId "41b23e61-6c1e-4545-b367-cd054e0ed4b4" -AadIssuerUri "https://sts.windows.net/your Directory ID/" -VpnClientAddressPool 192.168.0.0/24 -VpnClientProtocol OpenVPN

You can also modify the client IP address pool if you need to. The GUID 41b23e61-6c1e-4545-b367-cd054e0ed4b4 is the Application ID of the Azure VPN Client in Azure Public Cloud.

Now you can create the VPN profile for the client by running the following Azure PowerShell commands. By the way, you can also run Azure PowerShell directly from Azure Cloud Shell.

$profile = New-AzVpnClientConfiguration -Name "name of VPN gateway" -ResourceGroupName "Resource group" -AuthenticationMethod "EapTls"
$PROFILE.VpnProfileSASUrl

Copy the URL to your browser to download the profile in a zip file.

Download AzureVPN Configuration XML

Download AzureVPN Configuration XML

This zip file contains the azurevpnconfig.xml file, which contains the settings for the VPN connection, which users can import to their Azure VPN client. You can find more information about setting this up on Microsoft Docs.

Configure a VPN client for P2S OpenVPN protocol connections using Azure AD authentication

The next step will be to download the Azure VPN client here.

After you have installed the Azure VPN client, you can start configuring the VPN client.

Configure Azure VPN Client

Configure Azure VPN Client

Click on the bottom left on the “+” sign and click on Import. Select the azurevpnconfig.xml file.

Import azuervpnconfig file

Import azuervpnconfig.xml file

You can now review the settings for the configuration.

Review Settings

Review Settings

You can also set up the configuration manually if you want. It is a link to your Azure AD tenant, and the Audience is the Azure VPN application registered in your Azure AD tenant.

Azure VPN Client Azure AD Configuration

Azure VPN Client Azure AD Configuration

After that, you can now use the Azure VPN client to connect to your virtual network. It will prompt you to login with your Azure AD credentials.

Azure Active Directory Azure VPN connected

Azure Active Directory Azure VPN connected

If you need more information to set up the VPN client or find some additional troubleshooting information, have a look at this Microsoft Docs article.

I hope this gives you a great overview of how you can set up Azure VPN using OpenVPN and Azure Active Directory (Azure AD) for authentication. You can find the official documentation about configuring your Azure AD tenant as well as the VPN gateway here, and you can find the documentation to configure the VPN client here. If you have any questions, feel free to leave a comment.



Microsoft Certification Transcript

How to Share your Microsoft Certification Transcript

If you have done your Microsoft Certification exams, you will get a Microsoft Certification Transcript attached to your Microsoft Certification ID and account. In this transcript, you will find all the exams you have taken, active certifications and certification history. In the case you want or need to share Microsoft Certification Transcript with your employer, friends, and colleagues, you can follow the steps I listed here.

This Microsoft transcript is the official record of your exam and certification achievements. You can email yourself a copy of the transcript, share your transcript with your employer, friends, and colleagues, and download a copy.

Please note it can take up to 48 hours after passing an exam for an exam or certification to appear on your transcript.

Share your Microsoft Certification Transcript

Go to https://mcptnc.microsoft.com/transcript and login with your Microsoft account you used to take your Microsoft Certification Exam. You will find the online version of your transcript. You can email it, download it as PDF or give people online access to your transcript.

Microsoft Certification Transcript

Microsoft Certification Transcript

 

If you want to share it online so that people can access the current version, you can click on Share.

Share your Transcript

Share your Transcript

You can define an access code and share the link with the Transcription ID and Access Code with the person who needs access. You will get the following data:

You can now share your Microsoft transcript with your employer, friends, and colleagues by providing the following information to them:
Transcript ID: XXXXXXX
Access Code: XXXXXXXXX
Transcript Viewing Page: https://mcp.microsoft.com/Anonymous//Transcript/Validate

I hope this helps you to share your Microsoft Certification Transcript. You can find more information about Microsoft Certifications on the website.

If you want to learn more about why you should become Microsoft Certified, or how you get started with your Azure Certifications, check out my blog post. I also summarized in a blog how you learn Microsoft Azure in 2020. If you have any questions, please feel free to leave a comment.



Azure 10 Birthday

A decade later: Microsoft Azure at ten – Interview on Nigel Frank

Microsoft Azure just celebrated its 10th birthday. I had the chance to be interview by Nigel Frank International about the last ten years, today and the future. Right for the 10th birthday of Microsoft Azure. you can read the full interview here, where Microsoft MVPs, Mark Scholman and Charbel Nemnom together with myself answer a couple of questions like:

  • Did you encounter any skepticism in the early days, surrounding both Azure and broader cloud technology?
  • In the ten years since Azure’s official launch, has the product evolved as you expected?
  • How does each of you view the influence Azure has had on the cloud technology industry?
  • Can you pinpoint any turning points over the last ten years when Azure stood out as something of a game-changer?
  • Finally, what would you like to see next from Microsoft Azure?

Originally titled Windows Azure upon its official launch in February 2010—a moniker that would change to Microsoft Azure some four years later—the cloud platform has changed the face of computing on a scale previously unimagined.

A decade on, the service has arguably developed beyond recognition, expanding and adapting at regular intervals to help businesses of all shapes and sizes. The freedom to build, deploy and manage applications on a global scale is just one consequence, with 95% of Fortune 500 companies putting their faith (and trust) in the product.

To mark the platform’s tenth birthday, we sat down with Azure Stack consultant Mark Scholman, Microsoft Senior Cloud Advocate Thomas Maurer, and Cloud Architect and ICT Security Expert Charbel Nemnom—three Microsoft MVPs who have used Azure in all of its guises on a daily basis—to talk about the journey so far and the future of cloud computing.

I am looking forward to the next ten years of Microsoft Azure, especially since I am now part of the Azure team. And if you want to learn more about Microsoft Azure, check out my blog post about learning Microsoft Azure in 2020!

  • Azure Architecture Center – The Azure Architecture Center contains guidance for building end-to-end solutions on Microsoft Azure. Here you will find reference architectures, best practices, design patterns, scenario guides, and reference implementations.
  • Cloud Adoption Framework – The Cloud Adoption Framework is the One Microsoft approach to cloud adoption in Azure, consolidating, and sharing best practices from Microsoft employees, partners, and customers. The framework gives customers a set of tools, guidance, and narratives that help shape technology, business, and people strategies for driving desired business outcomes during their adoption effort. This guidance aligns to the following phases of the cloud adoption lifecycle, like Strategy, Plan, Ready, Migrate, Innovate, Govern, and Manage.
  • Azure Migration Center – Get all the tools and resources you need to migrate your apps, data, and infrastructure at your own pace, with confidence.
  • Azure Architecture Framework – A successful cloud solution requires to focus on these five pillars of architecture excellence: Cost, DevOps, Resiliency, Scalability, and Security. The Azure Architecture Framework helps you to build on these pillars.
  • Azure Reference Architectures – The Reference Architectures are a set of recommended architectures for Azure. Each architecture includes best practices, prescriptive steps, and a deployable solution.
  • Architectural decision guides – The architectural decision guides in the Cloud Adoption Framework describe patterns and models that help when creating cloud governance design guidance.
  • Cloud Operating model – Establish an operating model for the cloud
  • Azure Hybrid – Learn about Azure Hybrid Cloud with features and services like Azure Stack, Azure Arc, and many more.
  • Azure Security – Learn about Azure and security
  • Azure compliance – Get an overview of compliance in Microsoft Azure, with more than 90 compliance offerings
  • Azure pricing – learn about how Azure pricing works and how you can save costs and get the best value at every stage of your cloud journey.

I hope you enjoy the interview. If you have any questions, let me know in the comments.



Speaking at Microsoft Ignite 2019

Speaking at Microsoft Ignite The Tour 2020 Copenhagen

My 5th Microsoft Ignite The Tour (MITT) stop after Shenzhen, London, Milan and Prague will be Microsoft Ignite The Tour in Copenhagen. Microsoft Ignite The Tour brings the very best of Microsoft Ignite to a city near you. The tour provides technical training led by Microsoft experts and your community. You’ll learn new ways to build solutions, migrate and manage infrastructure, and connect with local industry leaders and peers.

  • Date: February 27–28, 2020
  • Location: Bella Center, Copenhagen

Microsoft Ignite The Tour Copenhagen

Our industry-leading conference is hitting the road—and coming to a city near you. You don’t want to miss the very latest in cloud technologies and developer tools with guest speakers, industry experts, and more. Get on the list today!

I will be speaking in the Microsoft Ignite The Tour learning paths. I am thrilled to show you some cool stuff about PowerShell, Windows Server 2019, Windows Admin Center, Azure Arc, and much more! I will be presenting the following sessions:

MSI20 - Hybrid management technologies

Tailwind Traders has now migrated the majority of their server hosts from Windows Server 2008 R2 to Windows Server 2019. Now, they are interested in the Azure hybrid technologies that are readily available to them. In this session, learn how Tailwind Traders began using Windows Admin Center and Azure Arc to manage its fleet of Windows Server computers and integrated hybrid technologies, such as Azure File Sync, Azure Site Recovery, and Azure Update Management, to improve deployment performance and manageability.

MCO20 - Azure governance and management

Tailwind Traders’ deployments are occurring in an ad hoc manner, primarily driven by lack of protocol and unapproved decisions by various operators or employees. Some deployments even violate the organization’s compliance obligations, such as being deployed in an unencrypted manner without DR protection. After bringing their existing IaaS VM fleet under control, Tailwind Traders wants to ensure future deployments comply with policy and organizational requirements. In this session, walk through the processes and technologies that will keep Tailwind Traders’ deployments in good standing with the help of Azure Blueprints, Azure Policy, role-based access control (RBAC), and more.

By the way, if you are interested in taking a Microsoft certification exam for free, check out the following blog post: Free Microsoft Certification exam voucher at Microsoft Ignite The Tour 2020. We also offer free certification vouchers at Microsoft Ignite in Copenhagen.

I am looking forward to speaking at Microsoft Ignite The Tour (MITT) 2019-2020 in Copenhagen. Let me know in the comments if you are going too, and I hope to see you there!



Azure Locks - Governance

Prevent Azure Resources from unexpected deletion using Locks

In this blog post, we will have a quick look at the basics of Azure Governance and how you can use Locks in Azure to govern your environment and protect resources from accidental deletion or changes. Cloud Computing is excellent, and you can deploy and delete services in seconds and go full speed. However, with that, there are also many challenges that are coming your way. Think about control over cost, security, or compliance. You don’t want everyone to be able to deploy a large Mv2-series virtual machine to test their application, and you might also not want people deploying services all over the world using one of the 55 Azure regions worldwide. The way to prevent things like this is called technical governance. However, it can be implemented in different ways.

Technical Governance

Technical Governance

The traditional approach was that you set a team or a person in front of the cloud, which can be called a cloud custodian or cloud broker team. And this team then decided on which services are going to get deployed and how. Now with that approach, people and processes become the limiting factor if you look at speed and agility.

Traditional approach

Traditional approach

To take advantage of speed and agility of the cloud, you want to give developers, operations people, or even teams and divisions in your company, but stay in control of the cloud environment. With Azure, we provide you with exactly these management tools, to make sure that you can keep control, but also keep the speed and agility the cloud promises.

Cloud-Native Governance

Cloud-Native Governance

Azure Resource Manager offers a couple of different tools for Azure Governance like Management Groups, Azure Policies, Azure Blueprints, Cost Management, and many more. In this quick blog, we will have a look at one of the basics called Azure Locks, which are part of the foundation. If you need to get started with Azure and especially Azure Governance, I created a blog post with some useful links.

Lock resources to prevent unexpected changes and deletion of Azure resources

We all have been there, we wanted to clean up some resources quickly or quickly run a script which changes a couple of settings, and we realized we just made a huge mistake. That is why it is great to have some locks in place to prevent unexpected changes and deletion to happen. With locks in Azure, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

Lock Types

You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only, respectively.

  • CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
  • ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

You can find more information about the lock types here.

Permissions to create or delete locks

You will need to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* to create or delete locks. By default, only the build-in roles Owner and User Access Administrator have these permissions.

Locks apply restrictions across all users and roles and are be applied to different scopes. These scopes are subscription, resource groups, or resources, and all resources within that scope inherit the same lock. If you have multiple locks in place, the most restrictive lock in the inheritance is applied. If you want to know more about permissions to set locks, you can find more information here.

How to lock a resource group

As an example of how locks can work, I wanted to show you how you can lock a resource group. You can create and assign locks using different methods and tools like the Azure Portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, or the REST API.

In the portal open up your resource group, in the settings blade, you click on Locks.

Azure Locks

Azure Locks

After that, you can click on Add and configure the lock.

Add a lock to an Azure Resource Group

Add a lock to an Azure Resource Group

Now, if someone tries to delete this resource group, he will get the following error.

Azure Resource Group is locked and can't be deleted

Azure Resource Group is locked and can’t be deleted

You can also set the lock using PowerShell:

New-AzResourceLock -LockName LockMyVNET -LockLevel CanNotDelete -ResourceGroupName azure-rg

Or the Azure CLI:

az lock create --name LockMyVNET --lock-type CanNotDelete --resource-group azure-rg

If you want to learn more about Azure Governance and especially Azure Locks, check out the following link to Microsoft Docs:

I hope this gives you an understanding of locks in Azure if you have any questions, feel free to leave a comment.



Tom Microsoft HoloLens

One Year at Microsoft

Time went by so fast, that I almost missed that this is my one year work anniversary at Microsoft. I have to admit that this year went really fast. I got to work on a lot of exciting projects, had the opportunity to meet and work with insanely brilliant people, and was able to work on things I enjoy.

Since I am treating my blog kind of like my diary, I think this deserves a short blog post. I am currently back in Redmond for our annual Cloud Advocate Summit, and yes, it is the same time as the internal Microsoft Ready conference. I am a little jetlagged, and so I can use the early morning to write this blog. And that reminds me of my start in February 2019, where I also traveled to Redmond on my second day of work.

People often ask me, how are you doing? are you still happy with your decision? iI can only say yes, it was a great decision to join Microsoft, and I have no regrets leaving my old job. Not because I didn’t like my old job, I really did enjoy it. But after seven years working for the same company, it was time to take on a new challenge.

Another question is, what are your highlights? Well, there are too many to count and list them all but expect being part of an awesome team and working on the thing I enjoy, I have a couple of things I want to highlight. The first thing I want to share is it is insane how helpful everyone is, and I can’t remember how many times I got the words “tell me if I can help you”. Most importantly, I realized that these were not just words, but every one meant it. If I had questions or needed help, every single person was there to help. The second thing I want to highlight is how much I was able to learn. Working with so many clever and talented people helps to learn new things, get fresh perspectives, and new ways of achieving something. The company is also set up with this learn it all, versus know it all mentality.

Of course, there are also things you might don’t like that much, especially if you join a large corporation. However, since I was working with Microsoft before, I knew what I was getting into, and I knew what to expect.

One year after joining Microsoft, I want to say thank you to my team and my manager, who hired me and gave me this opportunity. I also want to thank people I worked with inside and outside of Microsoft as well as my girlfriend, who needs to deal with my travel schedule 😉 and supports me. I am also really looking forward to the time in front of us, and keep working with the Microsoft community.



Microsoft Ignite The Tour 2020

Speaking at Microsoft Ignite The Tour 2020 Prague

After my first three Microsoft Ignite The Tour (MITT) stops in Shenzhen, London, and Milan, I am happy and honored that my fourth stop of Microsoft Ignite The Tour will be in Prague. By the way, if you are interested in taking a Microsoft certification exam for free, check out the following blog post: Free Microsoft Certification exam voucher at Microsoft Ignite The Tour 2020. We also offer the free certification vouchers at Microsoft Ignite in Prague.

  • Date: February 24–25, 2020
  • Location: Prague Congress Centre

Microsoft Ignite The Tour Prague

Our industry-leading conference is hitting the road—and coming to a city near you. You don’t want to miss the very latest in cloud technologies and developer tools with guest speakers, industry experts, and more. Get on the list today!

I will be speaking in the Microsoft Ignite The Tour learning paths. I am thrilled to show you some cool stuff about PowerShell, Windows Server 2019, Windows Admin Center, Azure Arc, and much more! I will be presenting the following sessions:

MSI20 - Hybrid management technologies

Tailwind Traders has now migrated the majority of their server hosts from Windows Server 2008 R2 to Windows Server 2019. Now, they are interested in the Azure hybrid technologies that are readily available to them. In this session, learn how Tailwind Traders began using Windows Admin Center and Azure Arc to manage its fleet of Windows Server computers and integrated hybrid technologies, such as Azure File Sync, Azure Site Recovery, and Azure Update Management, to improve deployment performance and manageability.

MCO20 - Azure governance and management

Tailwind Traders’ deployments are occurring in an ad hoc manner, primarily driven by lack of protocol and unapproved decisions by various operators or employees. Some deployments even violate the organization’s compliance obligations, such as being deployed in an unencrypted manner without DR protection. After bringing their existing IaaS VM fleet under control, Tailwind Traders wants to ensure future deployments comply with policy and organizational requirements. In this session, walk through the processes and technologies that will keep Tailwind Traders’ deployments in good standing with the help of Azure Blueprints, Azure Policy, role-based access control (RBAC), and more.

I am looking forward to speaking at Microsoft Ignite The Tour (MITT) 2019-2020 in Prague. Let me know in the comments if you are going too, and I hope to see you there!