Azure Security Fundamentals: Moving Co-Admins to RBAC

16th of October, 2015 / / 9 Comments

Anyone who has worked with Azure for long enough knows the raised eyebrow response you have gotten from security teams in the past when you describe how you can enforce separation of duties and least privilege when it comes to Azure subscription and service management. In a previously well-received blog post, one of my colleagues provided good guidance around subscription management as it applied to Azure at that time.

Essentially, the situation was:

  • Any Azure service management required full administrator or co-administrator access to a subscription which provided the user with full permission to do anything provisioned there-in.
[Keep reading] “Azure Security Fundamentals: Moving Co-Admins to RBAC”

[UPDATED] Azure AD Connect: SyncRuleEditor.exe and why is targetAddress missing

17th of September, 2015 / / No Comments

Originally  blogged @ lucian.blog. Follow Lucian on Twitter @LucianFrango. Send Lucian an email.

Today is back to AAD Connect. I want to talk about Office 365 migrations and how they can be tricky with various options and scenarios around hybrid or non hybrid. On a recent project we were migrating a client from IBM Lotus Notes to Exchange Online in Office 365. The plan and proposed solution was designed to not use Exchange Server Hybrid on-premises and use Dell Software Migrator for a direct migration from on-premises to the cloud.

The client has never had Exchange Server on-premises before and was running a well-managed ADDS deployment spanning three sites across three continents. To allow for the schema requirements for Exchange Online, Exchange Server 2013 was downloaded and the ADDS schema was extended with that from Exchange Server 2013. All simple, standard stuff right?..

Read More

Secure Azure Virtual Network Defense In Depth using Network Security Groups, User Defined Routes and Barracuda NG Firewall

25th of August, 2015 / / 3 Comments

Security Challenge on Azure

There are few common security related questions when we start planning migration to Azure:

  • How can we restrict the ingress and egress traffic on Azure ?
  • How can we route the traffic on Azure ?
  • Can we have Firewall kit, Intrusion Prevention System (IPS), Network Access Control, Application Control and Anti – Malware on Azure DMZ ?

This blog post intention is to answer above questions using following Azure features combined with Security Virtual Appliance available on Azure Marketplace:

  • Azure Virtual Network (VNET)
  • Azure Network Security Groups (NSGs)
  • Azure Network Security Rule
  • Azure Forced Tunelling
  • Azure Route Table
  • Azure IP Forwarding
  • Barracuda NG Firewall available on Azure Marketplace

One of the most common methods of attack is The Script Kiddie / Skiddie / Script Bunny / Script Kitty.… [Keep reading] “Secure Azure Virtual Network Defense In Depth using Network Security Groups, User Defined Routes and Barracuda NG Firewall”

Kloud Solutions named as Microsoft Australia Partner Awards finalist in four categories!

10th of August, 2015 / / No Comments

MELBOURNE, VICTORIA – 10 August, 2015 – Today, Kloud Solutions proudly announced it has been named a finalistin four categories in the 2015 Microsoft Australian Partner Awards (MAPA):

  • Cloud Productivity
  • Cloud Platform
  • Managed Service
  • Social Enterprise

Earlier this year, Kloud won Cloud Productivity Partner of the Year and was recognised as a finalist for Enterprise Mobility Suite Partner of the Year at Microsoft’s Worldwide Partner Conference in Orlando, Florida.

Kloud’s managing director Nicki Bowers is proud of the recognition, saying it is representative of the way customers entrust Kloud with their journey to the cloud.… [Keep reading] “Kloud Solutions named as Microsoft Australia Partner Awards finalist in four categories!”

Azure Active Directory Connect Export profile error: stopped-server-down.

5th of August, 2015 / / 14 Comments

Follow Lucian on Twitter @LucianFrango.

A couple of weeks ago I deployed Azure AD Connect in production. It was a relatively smooth process. The wizard did most of the work which was great. There was a few hiccups (blog post) along the way, which, in most cases is expected if the problems are not so serious.

Fast forward to my second install of the latest and greatest sync service for Azure AD and Office 365 cloud identities and we have problem no. 2. This time, though, I can say that the process ran through allot smoother. There was no real errors. Things were looking straight great and I was looking at my next task with some enthusiasm.

However, come 8.30ish this morning and going over the AADConnect server once more for peace of mind, I had noticed that the “Export” profile task that runs as the last task in the scheduled hourly run for AADConnect synchronisation (I’ve set it to 60min), unfortunately had a nice little error for me:

2015-08-05--AADC-Error--01

Read More

Azure Preview Features website

31st of July, 2015 / / No Comments

I had stumbled upon this site before, however, on my long journey through the interwebs I must have forgotten or lost it. The site I’m referring to is the Azure Preview Features site which isn’t directly accessible through the main Azure site top or bottom menu’s. So as this is a lucky find, I thought I’d share.

(Note: If you Google Azure preview; the site is the first result that comes up. Face palm?)

The Azure Feature Preview site is a list of current publicly accessible preview features and functionality. Moreover, Microsoft explain that the preview features in Azure are as follows:

Azure currently offers the following preview features, which are made available to you for evaluation purposes and subject to reduced or different service terms, as set forth in your service agreement and the preview supplemental terms. Azure may include preview, beta, or other pre-release features, services, software, or regions to obtain customer feedback (“Previews”). Previews are made available to you on the condition that you agree to these terms of use, which supplement your agreement governing use of Microsoft Azure.

Read More

Azure VNET gateway: basic, standard and high performance

23rd of July, 2015 / / 6 Comments

Originally posted @ Lucian.Blog. Follow Lucian on twitter @Lucianfrango.

I’ve been working a lot with Azure virtual network (VNET) virtual private network (VPN) gateways of late. The project I’m working on at the moment requires two sites to connect to a multi-site dynamic routing VPN gateway in Azure. This is for redundancy when connecting to the Azure cloud as there is a dedicated link between the two branch sites.

Setting up a multi-site VPN is a relatively streamlined process and Matt Davies has written a great article on how to run through that process via the Azure portal on the Kloud blog.

Read More

ADFS sign-in error: “An error occurred. Contact your administrator for more information.”

22nd of July, 2015 / / 4 Comments

Originally posted @ Lucian.Blog. Follow Lucian on twitter @Lucianfrango.

I’ve not had that much luck deploying Azure AD Connect and ADFS 3.0 in Azure for a client in the last few weeks. After some networking woes I’ve moved onto the server provisioning and again got stuck. Now, I know IT is not meant to be easy otherwise there wouldn’t be some of the salaries paid out to the best and brightest, this install though was simple and nothing out of the ordinary. A standard deployment that I and many others have done before.

Let me paint the picture: ADFS is now running, although not working, in Azure compute across a load balanced set of two servers with a further load balanced set of web application proxy (WAP) servers in front. Theres two domain controllers and a AAD Connect server all across a couple of subnets in a VNET.

Read More

Azure AD Connect: Connect Service error “stopped-extension-dll-exception”

21st of July, 2015 / / 8 Comments

Originally posted @ Lucian.Blog. Follow Lucian on twitter @Lucianfrango.

I was rather stuck the other day. Azure AD Connect provisioning has not been the smoothest of installs even following the wizard and successfully completing the mostly automated process. Azure AD Connect has built upon the previous generation sync services and, from what I’ve read, isn’t much of a new app, rather a version upgrade and re-name from the AADSync service still (as of July 2015) the default for Office 365 directory replication from on-premises to Azure AD.

Past versions and previous generation aside, a now generally available app should feature a working and thoroughly tested feature set. Should…

Read More

How to provision Azure Active Directory Connect

20th of July, 2015 / / 33 Comments

Originally posted @ Lucian.Blog

Time flies when you’re connecting to Azure AD. Late last month Microsoft announced that Azure AD Connect is now generally available. At the time of writing this, the synchronisation app itself still isn’t the default sync standard for Azure and obtaining the installer requires a quick Google. Since I’m deploying it for a client, I thought I’d run through the install process for future reference.

AADConnect provides allot of new functionality like for example this new fandangled ADDS password sync. In this scenario I’m keeping federation services, so ADFS will be deployed, which is more aligned with the previous or most common enterprise identity design.

This is going to be a long blog post with allot of screen shots (you’re welcome) on how to deploy Azure AD Connect. I’ll be going though the wizard process which will follow the automated process to deploy AADConnect, ADFS and ADFS WAP servers- pretty cool indeed.

At the moment AADConnect still isn’t the standard synchronisation service for Office 365 or Azure AD and requires download from the Microsoft Download Centre. To begin with, I’ve downloaded the AADConnect installer from this location.

Read More